|
Ok, samba isnt yet in jessie backports.. so
you now use the 4.2.10 version. Look here, these work good. I build them and i use them in my office
for some time now. I’ll try the next version samba (
4.4.5-3 ) in debian stretch to get in BPO. That one has the file overwrite fixed. (just
read the readme.txt it explains all) Here you find a signed by me samba 4.4.5 (
amd64 and i386 packages for jessie ) http://downloads.van-belle.nl/samba4/
Again, please do read the readme.txt This part. STOP SERVICES /etc/init.d/winbind stop /etc/init.d/samba stop update-rc.d winbind remove update-rc.d samba remove Dont remove winbind/samba inits. you need
that to refresh the keytabs. only winbind for keytab refresh is
sufficient. KRB5_KTNAME=/etc/squid3/HTTP.keytab export KRB5_KTNAME KRB5RCACHETYPE=none export KRB5RCACHETYPE Add that in /etc/default/squid3 and try
not to change default init.d debian files. The /etc/default/squid3 is included in the
init script. Enable the kerberos auth line in you squid
conf. auth_param negotiate program
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br@xxxxxxxxxxxxxx check both you keytabs, since Im not sure
about your keytab files. Check where the HTTP SPN is defined. klist -k /etc/krb5.keytab klist -k /etc/squid3/HTTP.keytab Try with these settings. 1) /etc/krb5.conf [libdefaults] default_realm = EMPRESA.COM.BR dns_lookup_kdc = yes dns_lookup_realm = no then if that works, change it back to your
needs. You can check if you get users out of
winbind wbinfo –u if that works, set these lines to no, not
needed for squid. winbind enum users = yes winbind enum groups = yes Try with these changes first. And last you did configure samba AD DC with
ssl support? If not. Enable the old behavior. More info about that here : https://www.samba.org/samba/history/samba-4.4.2.html
Greetz, Louis Van: squid-users
[mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Marcio Demetrio Bacci I have problems with Kerberos Autenthication in Squid3 on Debian 8 and
Samba4 DC My Squid version is: 3.4.8 My Kerberos Autenthication doesn't work. PROCEDURES PERFORMED INSTALL OF SAMBA4 AND WINBIND OF DEBIAN BACKPORTS apt-get -t jessie-backports install samba samba-doc winbind KERBEROS TEST: kinit administrator@xxxxxxxxxxxxxx klist -l Principal Name
Cache name --------------
---------- administrator@xxxxxxxxxxxxxx
FILE:/tmp/krb5cc_0 JOIN IN THE DOMAIN: net ads join -U administrator net ads testjoin: JOIN OK kdestroy KERBEROS TEST:kinit administrator@xxxxxxxxxxxxxx klist -l Principal Name
Cache name --------------
---------- administrator@xxxxxxxxxxxxxx
FILE:/tmp/krb5cc_0 STOP SERVICES /etc/init.d/winbind stop /etc/init.d/samba stop update-rc.d winbind remove update-rc.d samba remove export KRB5_KTNAME=FILE:/etc/squid3/HTTP.keytab INSTALL OF SQUID3: apt-get install squid3 export KRB5_KTNAME=FILE:/etc/squid3/HTTP.keytab net ads keytab CREATE net ads keytab ADD HTTP unset KRB5_KTNAME chgrp proxy /etc/squid3/HTTP.keytab chmod g+r /etc/squid3/HTTP.keytab /etc/init.d/squid3 restart KRB5_KTNAME=/etc/squid3/HTTP.keytab export KRB5_KTNAME KRB5RCACHETYPE=none export KRB5RCACHETYPE /etc/init.d/squid3 restart Below are my configuration files: 1) /etc/krb5.conf [libdefaults] default_realm = EMPRESA.COM.BR dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/krb5.keytab [realms] EMPRESA.COM.BR = { kdc = dc1.EMPRESA.COM.BR:88 admin_server = dc1.EMPRESA.COM.BR default_domain = EMPRESA.COM.BR } [domain_realm] [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log 2/etc/samba/smb.conf [global] netbios name = proxy workgroup = EMPRESA security = ads realm = EMPRESA.COM.BR encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # password server = dc1.empresa.com.br preferred master = no idmap config *:backend = tdb idmap config *:range = 1000-3000 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 10000-9999999 winbind nss info = rfc2307 winbind trusted domains _only_ = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = yes winbind refresh tickets = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user.map 3) /etc/squid3/squid.conf ### Configuracoes Basicas http_port 3128 #debug_options ALL,111,2 29,9 84,6 cache_mem 512 MB cache_swap_low 80 cache_swap_high 90 maximum_object_size 512 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA #Para não bloquear downloads quick_abort_min -1 KB #Resolve um problema com conexoes persistentes detect_broken_pconn on fqdncache_size 1024 ### Parametros de atualizacao da memoria cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ### Localizacao dos logs access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log ### define a localizacao do cache de disco, tamanho, qtd de diretorios
pai e subdiretorios cache_dir aufs /var/spool/squid3 600 16 256 #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth auth_param negotiate children 10 auth_param negotiate keep_alive on visible_hostname proxy.empresa.com.br ### acls #acl manager proto cache_object acl to_localhost dst MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.200.7" MailScanner warning:
numerical links are often malicious: 192.168.200.7/32 acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra,
webmin acl Safe_ports port 21 # ftp acl Safe_ports port 70 # gopher acl Safe_ports port 80 # http acl Safe_ports port 88 # kerberos acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 389 # ldap acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 563 # snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3001 #
imprenssa nacional acl Safe_ports port 8080 # http acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT ### Regras iniciais do Squid http_access allow localhost http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ### Exige autenticacao acl autenticados proxy_auth REQUIRED http_access deny !autenticados # acl ligada a autenticacao acl grupo_admins proxy_auth "/etc/squid3/acls/usr-admins" acl grupo_liberado proxy_auth
"/etc/squid3/acls/usr-liberados" #libera o grupo de administradores http_access allow grupo_admins ### Bloqueia extensoes de arquivos acl extensoes_bloqueadas url_regex -i
"/etc/squid3/acls/extensoes-proibidas" ### Liberar alguns sites acl sites_liberados url_regex -i
"/etc/squid3/acls/sites-permitidos" ### Bloqueia sites por URL acl sites_bloqueados url_regex -i
"/etc/squid3/acls/sites-proibidos" #bloqueios basicos http_access allow sites_liberados http_access deny extensoes_bloqueadas http_access deny sites_bloqueados # Libera acesso ao grupo de chefes e professores http_access allow grupo_liberado # Incorpora as regras do SquidGuard redirect_program /usr/bin/squidGuard redirect_children 20 redirector_bypass on #libera o grupo de usuarios comuns apos passar por todos os bloqueios http_access allow autenticados ### Rede do CMB ##### ### Nega acesso de quem nao esta na rede local http_access allow lannet #negando o acesso para todos que nao estiverem nas regras anteriores http_access deny all ### Erros em portugues error_directory /usr/share/squid3/errors/pt-br #cache_effective_user proxy coredump_dir /var/spool/squid3 Regards, Márcio Bacci |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
