Re: Squid + AD + Kerb auth question

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Wed, 18 Mar 2015 23:20:55 -0000

Hi,

  From which network do you surf ?  From localnet ? 

  Can you send sample log entries ?

Markus

From: 
Joao Paulo Monticelli 
Gaspar 

Sent: Wednesday, March 18, 2015 9:18 PM
To: Markus Moeller 
Subject: Re:  Squid + AD + Kerb auth 
question

squid.conf 

visible_hostname proxy.joznet.local

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours

acl ad_auth proxy_auth REQUIRED

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 
local private network range
acl localnet src fe80::/10      # RFC 4291 
link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # 
unregistered ports
acl Safe_ports port 280 # 
http-mgmt
acl Safe_ports port 488 # 
gss-http
acl Safe_ports port 591 # 
filemaker
acl Safe_ports port 777 # multiling 
http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost
http_access allow ad_auth
http_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 
10080

refresh_pattern ^gopher: 1440 0% 
1440
refresh_pattern -i (/cgi-bin/|\?) 0 
0% 0
refresh_pattern . 0 20% 
4320

****************************************************************************************
krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = JOZNET.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

; for Windows 2008 with AES

;        default_tgs_enctypes = 
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        default_tkt_enctypes = 
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        permitted_enctypes = 
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

; for MIT/Heimdal kdc no need to restrict encryption type

[realms]
JOZNET.LOCAL = {
  kdc = srvjoznt.joznet.local:88
  admin_server = srvjoznt.joznet.local:749
  default_domain = joznet.local 
}

[domain_realm]
.joznet.local= JOZNET.LOCAL
joznet.local= JOZNET.LOCAL

[pam]
debuf = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

  How does the config file look like ?  

  Markus

  "Joao Paulo Monticelli Gaspar" <jaumshock@xxxxxxxxx> wrote in message 
  news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg@xxxxxxxxxxxxxx...

  Hey people 

  I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID 
  integrate to a W2K8 AD server with kerb auth, and everything works fine, the 
  main reason of chosing this setup is for the SingleSignOn capabilities of the 
  configuration, but on my ACCESS.LOG I cant see the users that are visitating 
  the sites...

  is possible to show that info with this setup, or by any other setup use 
  maintain the SOO?

  Thx in advance.

  _______________________________________________
squid-users mailing 
  list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users 
  mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users