【准备】
1. yum install cyrus-sasl-gssapi.i386 # 记得先装上这个
2. rpm -ivh msktutil-0.3.16.4-1.el5.rf.i386.rpm #还有这个
3. 为防止configure出问题,都装上
krb5-auth-dialog.i386 0.7-1 installed
krb5-devel.i386 1.6.1-25.el5 installed
krb5-libs.i386 1.6.1-25.el5 installed
krb5-server.i386 1.6.1-25.el5 installed
krb5-workstation.i386 1.6.1-25.el5 installed
pam_krb5.i386 2.2.14-1 installed
krb5-devel.i386 1.6.1-25.el5 installed
krb5-libs.i386 1.6.1-25.el5 installed
krb5-server.i386 1.6.1-25.el5 installed
krb5-workstation.i386 1.6.1-25.el5 installed
pam_krb5.i386 2.2.14-1 installed
【把Linux samba加入域并】
配置kbr5.conf smb.conf 加入域
【Kerberos 配置 】 这个国内有用资料实在太少
kinit administrator #检查一下
net ads keytab create -U administrator@800BEST.NET #创建keytab 文件
net ads keytab add HTTP -U administrator@800BEST.NET #像keytab文件添加记录
net ads keytab add HTTP -U administrator@800BEST.NET #像keytab文件添加记录
klist -ke #看看keytab文件
kdb5_util create -s # 初始化库
kadmin.local -q "addprinc administrator/admin" #addprinc 并设置密码
kdb5_util create -s # 初始化库
kadmin.local -q "addprinc administrator/admin" #addprinc 并设置密码
启用kerberos验证
启动服务试试
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start
配置成功后,应该直接可以用ldap或者AD账户登录域了 这下正好解决了single sign-on方案。
【编译安装】
4. ./configure --prefix=/Data/software/squid --enable-auth="basic,ntlm, negotiate" --enable-negotiate-auth-helpers="squid_kerb_auth" #basci, ntlm, kerberos 都支持
5. make
6. make install
下面这段从squid网站上摘下来,看看似乎明白一点
#####
ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this access by adding the security user Squid runs as to the winbindd_priv group.
gpasswd -a proxy winbindd_priv
- Remove the cache_effective_group setting in squid.conf, if present. This setting causes squid to ignore the auxiliary winbindd_priv group membership.the default user Squid is bundled as nobody though some distribution packages are built with squid or proxy or other similar low-access user.
#############
因为这个,squid建议我们在做ntlm验证时候这样加如下configure 选项
--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"
--enable-external-acl-helpers="wbinfo_group"
不过我看2.7和以后版本没有必要。
我老老实实
groupadd winbindd_priv
gpasswd -a squid winbindd_priv # squid 是以squid用户来运行的
发现验证时候还是出错,还是土办法,立即OK了
chgrp squid /var/cache/samba/winbindd_privileged
chmod -R 750 /var/cache/samba/winbindd_privileged
chmod -R 750 /var/cache/samba/winbindd_privileged
squid.cong 基本都是默认配置
[squid@proxy ~]$ cat /Data/software/squid/etc/squid.conf
#Kerberos authentication
auth_param negotiate program /Data/software/squid/libexec/squid_kerb_auth -d -s HTTP/proxy.800best.net@800BEST.NET
auth_param negotiate children 15
auth_param negotiate keep_alive on
#ntlm_auth
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 20
#auth_param ntlm use_ntlm_negotiate on
#basic_auth
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#Kerberos authentication
auth_param negotiate program /Data/software/squid/libexec/squid_kerb_auth -d -s HTTP/proxy.800best.net@800BEST.NET
auth_param negotiate children 15
auth_param negotiate keep_alive on
#ntlm_auth
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 20
#auth_param ntlm use_ntlm_negotiate on
#basic_auth
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
cachemgr_passwd 800best all
acl all src all
acl auth proxy_auth REQUIRED
acl all src all
acl auth proxy_auth REQUIRED
#DeniedURLs and IPs
acl DeniedURLs dstdomain -i .tianya.cn .qq.com
acl DeniedIPs dst "/Data/software/squid/etc/deniedIPs.list"
acl DeniedURLs dstdomain -i .tianya.cn .qq.com
acl DeniedIPs dst "/Data/software/squid/etc/deniedIPs.list"
acl manager proto cache_object
acl webserver src 172.18.9.146/32
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager webserver
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !auth
http_access allow auth
http_access deny DeniedURLs
http_access deny DeniedIPs
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /Data/software/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /Data/software/squid/var/cache
acl webserver src 172.18.9.146/32
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager webserver
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !auth
http_access allow auth
http_access deny DeniedURLs
http_access deny DeniedIPs
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /Data/software/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /Data/software/squid/var/cache
添加
KRB5_KTNAME=/etc/krb5.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
KRB5_KTNAME=/etc/krb5.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
export SQUID_HOME=/Data/software/squid
到squid用户的 .bash_profile
squid -z
squid -Nd4c # 好像没有什么错了
echo 'su - squid -c "squid -s"' > /etc/rc.local
看了一下日志,有如下错误,可能与squid自带的kerberos验证模块有关
2009/08/19 17:54:18| squid_kerb_auth: parseNegTokenInit failed with rc=101
2009/08/19 17:54:18| squid_kerb_auth: received type 1 NTLM token
2009/08/19 17:54:18| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 5
9).
2009/08/19 17:54:18| squid_kerb_auth: received type 1 NTLM token
2009/08/19 17:54:18| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 5
9).
由于有其他更重要的项目,暂时通过
squid + basic,ntlm 验证 + sarg + wpad 来解决代理服务器方案,至于个别windows7或vista客户端,在squid.conf 添加IP acl 策略作为临时解决方案。