Squid 3.5/WindowsAD Group
Version:OS: SUSE Linux Enterprise Server 12 SP2(x86_64)
Samba: Version 4.4.2-29.4-3709-SUSE-SLE_12-x86_64
Winbind: Version 4.4.2-29.4-3709-SUSE-SLE_12-x86_64
Squid:
Squid Cache: Version 3.5.21
Service Name: squid
configure options:'--host=x86_64-suse-linux-gnu' '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--disable-strict-error-checking' '--sysconfdir=/etc/squid' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--sharedstatedir=/var/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-dl' '--enable-disk-io' '--enable-storeio' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--enable-esi' '--enable-icap-client' '--enable-useragent-log' '--enable-referer-log' '--enable-kill-parent-hack' '--enable-arp-acl' '--enable-ssl-crtd' '--with-openssl' '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter' '--with-large-files' '--enable-underscores' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-negotiate' '--enable-auth-digest' '--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group' '--enable-stacktraces' '--enable-x-accelerator-vary' '--with-default-user=squid' '--disable-ident-lookups' '--enable-follow-x-forwarded-for' '--disable-arch-native' 'build_alias=x86_64-suse-linux-gnu' 'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'LDFLAGS=-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
configuration:
[*] Samba:
workgroup = XXXX
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /usr/sbin/useradd-c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = No
domain master = No
netbios name = Proxy-xxx
security = ADS
wins support = No
realm = XXX.com
template homedir = /home/%D/%U
winbind refresh tickets = yes
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config ASIA : backend = rid
idmap config ASIA : range = 500-10000000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
2. /etc/kr5.conf
default_realm = XXX.com
clockskew = 300
ASIA.MURATA.COM = {
kdc = x1.XXX.COM
default_domain = xxx.com
admin_server = x1.XXX.COM
}
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
.asia.murata.com = ASIA.MURATA.COM
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
}
3. Squid
#---------START OF PAN CHINA PROXY CONFIG---------
cache_mgr xxx(mgr@xxx.com
#---AUTHENTICATION---
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 300
#auth_param ntlm keep_alive on
auth_param ntlm max_challenge_reuses 0
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 300
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
#authenticate_ttl 1 hour
external_acl_type wbinfo_check %LOGIN /usr/sbin/ext_wbinfo_group_acl
acl allowed_group external wbinfo_check XXX-InternetUsers
http_access allow allowed_group allowedsites
#---SETTING & OPTIMIZATION---
http_port 8888
icp_port 3130
hosts_file /etc/hosts
#dns_nameservers 114.114.115.115 114.114.114.114 8.8.4.4 8.8.8.8
half_closed_clients off
maximum_object_size 4 MB
ipcache_size 10240
ignore_expect_100 on
#never_direct allow all
#forwarded_for delete
#via off
cache_swap_low 90
cache_swap_high 95
memory_pools off
4. TEST Result
kinit user
klist
net ads join -U admin(join domain) wbinfo -t (confirm the result of joining domain)
wbinfo --group-infoXXX\\domin\ users(if error , please enable ipv6, smb.conf idmap)
wbinfo -a XXX\\testuser%'password'(test the domain user and password) 5. /usr/sbin/exe_wbinfo_group_acl
authen windows AD group members.
Squid parameter explain:
1.max_user_ip(one user with 2 IP address will be deny in bellow settings)
2.proxy_auth REQUIRED (AD uers no need password, others need username and password.)
3.authenticate_ip_ttl (squid remember the user with IP address time)
acl FOO max_user_ip 2
acl BAR proxy_auth REQUIRED
http_access deny FOO
http_access allow BAR
2.
页:
[1]