Squid 3.5/WindowsAD Group

Posted 2020-10-11

Version:

OS: SUSE Linux Enterprise Server 12 SP2  (x86_64)

Samba: Version 4.4.2-29.4-3709-SUSE-SLE_12-x86_64

Winbind: Version 4.4.2-29.4-3709-SUSE-SLE_12-x86_64

Squid: 

Squid Cache: Version 3.5.21

Service Name: squid

configure options:  ‘--host=x86_64-suse-linux-gnu‘ ‘--build=x86_64-suse-linux-gnu‘ ‘--program-prefix=‘ ‘--prefix=/usr‘ ‘--exec-prefix=/usr‘ ‘--bindir=/usr/bin‘ ‘--sbindir=/usr/sbin‘ ‘--sysconfdir=/etc‘ ‘--datadir=/usr/share‘ ‘--includedir=/usr/include‘ ‘--libdir=/usr/lib64‘ ‘--libexecdir=/usr/lib‘ ‘--localstatedir=/var‘ ‘--sharedstatedir=/usr/com‘ ‘--mandir=/usr/share/man‘ ‘--infodir=/usr/share/info‘ ‘--disable-dependency-tracking‘ ‘--disable-strict-error-checking‘ ‘--sysconfdir=/etc/squid‘ ‘--libexecdir=/usr/sbin‘ ‘--datadir=/usr/share/squid‘ ‘--sharedstatedir=/var/squid‘ ‘--with-logdir=/var/log/squid‘ ‘--with-pidfile=/run/squid.pid‘ ‘--with-dl‘ ‘--enable-disk-io‘ ‘--enable-storeio‘ ‘--enable-removal-policies=heap,lru‘ ‘--enable-icmp‘ ‘--enable-delay-pools‘ ‘--enable-esi‘ ‘--enable-icap-client‘ ‘--enable-useragent-log‘ ‘--enable-referer-log‘ ‘--enable-kill-parent-hack‘ ‘--enable-arp-acl‘ ‘--enable-ssl-crtd‘ ‘--with-openssl‘ ‘--enable-forw-via-db‘ ‘--enable-cache-digests‘ ‘--enable-linux-netfilter‘ ‘--with-large-files‘ ‘--enable-underscores‘ ‘--enable-auth‘ ‘--enable-auth-basic‘ ‘--enable-auth-ntlm‘ ‘--enable-auth-negotiate‘ ‘--enable-auth-digest‘ ‘--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group‘ ‘--enable-stacktraces‘ ‘--enable-x-accelerator-vary‘ ‘--with-default-user=squid‘ ‘--disable-ident-lookups‘ ‘--enable-follow-x-forwarded-for‘ ‘--disable-arch-native‘ ‘build_alias=x86_64-suse-linux-gnu‘ ‘host_alias=x86_64-suse-linux-gnu‘ ‘CFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF‘ ‘LDFLAGS=-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie‘ ‘CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF‘ ‘PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig‘

configuration:

1. Samba:

[global]

        workgroup = XXXX

        passdb backend = tdbsam

        printing = cups

        printcap name = cups

        printcap cache time = 750

        cups options = raw

        map to guest = Bad User

        include = /etc/samba/dhcp.conf

        logon path = \\%L\profiles\.msprofile

        logon home = \\%L\%U\.9xprofile

        logon drive = P:

        usershare allow guests = No

        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$

        domain logons = No

        domain master = No

        netbios name = Proxy-xxx

        security = ADS

        wins support = No

        realm = XXX.com

        template homedir = /home/%D/%U

        winbind refresh tickets = yes

        idmap config * : backend = tdb

        idmap config * : range = 1000000-1999999

        idmap config ASIA : backend = rid

        idmap config ASIA : range = 500-10000000

        winbind enum users = yes

        winbind enum groups = yes

        winbind use default domain = yes

2. /etc/kr5.conf

[libdefaults]

        default_realm = XXX.com

        clockskew = 300

[realms]

ASIA.MURATA.COM = {

                kdc = x1.XXX.COM

                default_domain = xxx.com

                admin_server = x1.XXX.COM

}

[logging]

        kdc = FILE:/var/log/krb5/krb5kdc.log

        admin_server = FILE:/var/log/krb5/kadmind.log

        default = SYSLOG:NOTICE:DAEMON

[domain_realm]

        .asia.murata.com = ASIA.MURATA.COM

[appdefaults]

pam = {

                ticket_lifetime = 1d

                renew_lifetime = 1d

                forwardable = true

                proxiable = false

                minimum_uid = 1

                clockskew = 300

                external = sshd

                use_shmem = sshd

}

3. Squid 

#---------START OF PAN CHINA PROXY CONFIG---------

cache_mgr xxx([email protected]

#---AUTHENTICATION---

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 300

#auth_param ntlm keep_alive on

auth_param ntlm max_challenge_reuses 0

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param basic children 300

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

#authenticate_ttl 1 hour

  external_acl_type wbinfo_check %LOGIN /usr/sbin/ext_wbinfo_group_acl

acl allowed_group external wbinfo_check XXX-InternetUsers

http_access allow allowed_group allowedsites

#---SETTING & OPTIMIZATION---

http_port 8888

icp_port 3130

hosts_file /etc/hosts

#dns_nameservers 114.114.115.115 114.114.114.114 8.8.4.4 8.8.8.8

half_closed_clients off

maximum_object_size 4 MB

ipcache_size 10240

ignore_expect_100 on

#never_direct allow all

#forwarded_for delete

#via off

cache_swap_low 90

cache_swap_high 95

memory_pools off

4. TEST Result 

kinit user

klist

net ads join -U admin(join domain)

wbinfo -t (confirm the result of joining domain)

wbinfo --group-info  XXX\\domin\ users(if error , please enable ipv6, smb.conf idmap)

wbinfo -a XXX\\testuser%‘password‘  (test the domain user and password)

5. /usr/sbin/exe_wbinfo_group_acl 

authen windows AD group members.

Squid parameter explain:

1.max_user_ip(one user with 2 IP address will be deny in bellow settings)

2.proxy_auth REQUIRED (AD uers no need password, others need username and password.)

3.authenticate_ip_ttl (squid remember the user with IP address time)

acl FOO max_user_ip 2
acl BAR proxy_auth REQUIRED
http_access deny FOO
http_access allow BAR

2. 

本文出自 “莫长空” 博客，请务必保留此出处http://silversnow.blog.51cto.com/285506/1974577