ОС: FreeBSD 9
SQUID 3.5
Имеется следующая ситуация.
Есть домен (mydomain.com), в нем есть прокси сервер настроеный в связке kerberos+ad, аутентификация на основе груп.
Все работает, но появилась задача, к этому прокси подключить пользователей другого домена, с которым установленны доверительные отношения (my.mydomain.com).
В самом конфиге сквида создали еще один запрос к ldap с отдельным именем и отдельными параметрами.
Встал вопрос по настройке kerberos и keytab.
На линукс форуме была похожая ситуация, тему закрыли, но не очень из нее понял, что там сделать с кейтабами.
Заранее благодарю за помощь.
Сейчас конфиги в таком виде, при авторизации из поддомена, сквид запрашивает логин с паролем.
Код: Выделить всё
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = true
proxiable = true
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
rdns = false
[realms]
MYDOMAIN.COM = {
kdc = 192.168.0.10
kdc = 192.168.0.11
admin_server = 192.168.0.10
admin_server = 192.168.0.11
default_domain = mydomain.com
}
MY.MYDOMAIN.COM = {
kdc = 192.168.1.10
kdc = 192.168.1.11
admin_server = 192.168.1.10
admin_server = 192.168.1.11
default_domain = my.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
.my.mydomain.com = MY.MYDOMAIN.COM
my.mydomain.com = MY.MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/kerberos/kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Код: Выделить всё
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.mydomain.com@MYDOMAIN.COM
auth_param negotiate children 200
auth_param negotiate keep_alive on
acl localnet src 192.168.0.0/24
dns_nameservers 127.0.0.1
acl SSL_ports port 443 8443 9443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 9443
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AUTH proxy_auth REQUIRED
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
cache deny all
### allow list
acl acl_rabota dstdomain "/usr/local/etc/squid/allow_list/rabota"
acl acl_novosti dstdomain "/usr/local/etc/squid/allow_list/novosti"
acl acl_search dstdomain "/usr/local/etc/squid/allow_list/search"
acl acl_working dstdomain "/usr/local/etc/squid/allow_list/working"
### deny list
acl acl_social dstdomain "/usr/local/etc/squid/deny_list/social"
acl acl_anonimaizer dstdomain "/usr/local/etc/squid/deny_list/anonimaizer"
acl acl_media dstdomain "/usr/local/etc/squid/deny_list/media"
acl acl_porno dstdomain "/usr/local/etc/squid/deny_list/porno"
acl acl_chats dstdomain "/usr/local/etc/squid/deny_list/chats"
#acl acl_deny_regular url_regex "/usr/local/etc/squid/deny_list/deny_regular"
external_acl_type ldap_search ttl=300 negative_ttl=300 %LOGIN \
/usr/local/libexec/squid/ext_ldap_group_acl \
-R -b "DC=mydomain,DC=com" \
-f "(&(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,OU=Unix,DC=mydomain,DC=com))" \
-D "proxy@mydomain.com" -W "/usr/local/etc/squid/authpw" \
-K -d -h 192.168.0.10 192.168.0.11
external_acl_type ldap_search_1 ttl=300 negative_ttl=300 %LOGIN \
/usr/local/libexec/squid/ext_ldap_group_acl \
-R -b "DC=my,DC=mydomain,DC=com" \
-f "(&(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,OU=Unix,DC=mydomain,DC=com))" \
-D "proxy@my.mydomain.com" -W "/usr/local/etc/squid/authpw" \
-K -d -h 192.168.1.10 192.168.1.11
acl acl_all_internet external ldap_search all_internet
acl acl_rabota_only external ldap_search rabota_only
acl acl_not_internet external ldap_search not_internet
acl acl_standart_internet external ldap_search standart_internet
acl acl_working_internet external ldap_search working_internet
acl acl_all_internet_1 external ldap_search_1 all_internet
acl acl_rabota_only_1 external ldap_search_1 rabota_only
acl acl_not_internet_1 external ldap_search_1 not_internet
acl acl_standart_internet_1 external ldap_search_1 standart_internet
acl acl_working_internet_1 external ldap_search_1 working_internet
http_access allow CONNECT SSL_ports
#http_access allow AUTH localnet
#---------- Rules for all_internet group ----------#
http_access allow AUTH acl_all_internet
#---------- Rules for standart_internet group ----------#
http_access deny AUTH acl_standart_internet acl_social
http_access deny AUTH acl_standart_internet acl_anonimaizer
http_access deny AUTH acl_standart_internet acl_media
http_access deny AUTH acl_standart_internet acl_chats
http_access deny AUTH acl_standart_internet acl_porno
#http_access deny AUTH acl_standart_internet acl_deny_regular
http_access allow AUTH acl_standart_internet
#---------- RULES for working_internet group ----------#
http_access deny AUTH acl_working_internet acl_social
http_access deny AUTH acl_working_internet acl_anonimaizer
http_access deny AUTH acl_working_internet acl_media
http_access deny AUTH acl_working_internet acl_chats
http_access deny AUTH acl_working_internet acl_porno
#http_access deny AUTH acl_working_internet acl_deny_regular
http_access allow AUTH acl_working_internet acl_rabota
http_access allow AUTH acl_working_internet acl_novosti
http_access allow AUTH acl_working_internet acl_search
http_access allow AUTH acl_working_internet acl_working
#http_access allow AUTH acl_working_internet
#---------- Rules for rabota_only group ----------#
http_access allow AUTH acl_rabota_only acl_rabota
#---------- Rules for not_internet group ----------#
http_access deny AUTH acl_not_internet
#---------- Rules for all_internet group ----------#
http_access allow AUTH acl_all_internet_1
#---------- Rules for standart_internet group ----------#
#http_access deny AUTH acl_standart_internet_1 acl_social
#http_access deny AUTH acl_standart_internet_1 acl_anonimaizer
#Bhttp_access deny AUTH acl_standart_internet_1 acl_media
#http_access deny AUTH acl_standart_internet_1 acl_chats
#http_access deny AUTH acl_standart_internet_1 acl_porno
##http_access deny AUTH acl_standart_internet_1 acl_deny_regular
#http_access allow AUTH acl_standart_internet_1
#---------- RULES for working_internet group ----------#
#http_access deny AUTH acl_working_internet_1 acl_social
#http_access deny AUTH acl_working_internet_1 acl_anonimaizer
#http_access deny AUTH acl_working_internet_1 acl_media
#http_access deny AUTH acl_working_internet_1 acl_chats
#http_access deny AUTH acl_working_internet_1 acl_porno
##http_access deny AUTH acl_working_internet_1 acl_deny_regular
#http_access allow AUTH acl_working_internet_1 acl_rabota
#http_access allow AUTH acl_working_internet_1 acl_novosti
#http_access allow AUTH acl_working_internet_1 acl_search
#http_access allow AUTH acl_working_internet_1 acl_working
#http_access allow AUTH acl_working_internet_1
#---------- Rules for rabota_only group ----------#
#http_access allow AUTH acl_rabota_only_1 acl_rabota
#---------- Rules for not_internet group ----------#
#http_access deny AUTH acl_not_internet_1
http_access allow CONNECT SSL_ports
http_access deny all
http_port 3128
shutdown_lifetime 10.00 seconds
#maximum_object_size 32 MB
#cache_dir ufs /usr/local/squid/cache 2048 16 256
access_log stdio:/usr/local/squid/logs/access.log squid
cache_store_log stdio:/usr/local/squid/logs/store.log
cache_log /usr/local/squid/logs/cache.log
coredump_dir /usr/local/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320