Multiproxy based on Debian and SQUID with transparent domain authentication
Raise the Squid proxy server that listens to several ports. Each port has its own communication channel or external IP. There are a lot of manuals and stateek on the Internet, but alas there is no general consolidation, I decided to share.
Let's start.
Debian 7.8, Samba 4, Squid 3, Kerberos 5 is used.
1. Install the OS, configure the network interfaces:
2. Update packages using two commands:
3. Since we are entering the machine into the domain, we install the necessary packages for this:
4. Change the DNS settings in the /etc/resolv.conf file:
5. Set the machine name in / etc / hostname:
In addition, you need to edit the / etc / hosts file so that it contains a record with the fully-qualified domain name of the computer and necessarily a short host name that refers to one of the internal IPs.
')
6. Immediately check the availability of the domain controller:
# ping domaincontroller
# ping domaincontroller.EXAMPLE.RU
7. Next, you need to configure the time synchronization with the domain controller. If the difference is more than 5 minutes we will not be able to get a ticket from Kerberos. For one-time synchronization, you can use the command:
Also, if there is an exact time server on the network, you can configure synchronization with it:
1. First of all, edit the /etc/krb5.conf file. In our case, it looks like this:
2. Check that we can log in to the domain:
If everything went without errors, then everything is correct and the domain controller issues us a Kerberos ticket. You can check tickets with # klist
2.a. Common Kinit Errors:
This means that our machine is not synchronized time with the domain controller.
An invalid password has been entered.
Most likely, it is worth checking the krb5.conf file and making sure that the realm and domain in the kinit command were specified in upper case.
There is no user in the domain.
1. To enter the domain, you need to properly configure Samba. Settings are stored in /etc/samba/smb.conf:
2. Check the configuration:
3. Edit the /etc/nsswitch.conf file as follows:
4. After editing /etc/samba/smb.conf, restart Samba and Winbind:
5. Enter the machine in the domain:
6. Check if Samba sees users and groups of the domain
1. Install the SQUID 3 package:
2. Configure the SQUID using the /etc/squid3/squid.conf file:
1. Create a routing table, add new tables to / etc / iproute2 / rt_tables, the number is taken from the head, but not duplicated:
2. Add rules for our tables:
Let's start.
Debian 7.8, Samba 4, Squid 3, Kerberos 5 is used.
Basic setting
1. Install the OS, configure the network interfaces:
nano /etc/network/interfaces && /etc/init.d/networking restart 2. Update packages using two commands:
# apt-get update && apt-get upgrade 3. Since we are entering the machine into the domain, we install the necessary packages for this:
# aptitude install krb5-user samba winbind libpam-krb5 libpam-winbind libnss-winbind 4. Change the DNS settings in the /etc/resolv.conf file:
domain EXAMPLE.RU search EXAMPLE.RU nameserver 192.168.1.6 5. Set the machine name in / etc / hostname:
In addition, you need to edit the / etc / hosts file so that it contains a record with the fully-qualified domain name of the computer and necessarily a short host name that refers to one of the internal IPs.
')
6. Immediately check the availability of the domain controller:
# ping domaincontroller
# ping domaincontroller.EXAMPLE.RU
7. Next, you need to configure the time synchronization with the domain controller. If the difference is more than 5 minutes we will not be able to get a ticket from Kerberos. For one-time synchronization, you can use the command:
# net time set domaincontroller Also, if there is an exact time server on the network, you can configure synchronization with it:
# ntpdate 192.168.1.3 Configuring Kerberos authentication
1. First of all, edit the /etc/krb5.conf file. In our case, it looks like this:
default_realm = EXAMPLE.RU kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] EXAMPLE.RU = { kdc = domaincontroller admin_server = domaincontroller default_domain = EXAMPLE.RU } [domain_realm] .example.ru = EXAMPLE.RU example.ru = EXAMPLE.RU [login] krb4_convert = false krb4_get_tickets = false 2. Check that we can log in to the domain:
# kinit test_user@EXAMPLE.RU If everything went without errors, then everything is correct and the domain controller issues us a Kerberos ticket. You can check tickets with # klist
2.a. Common Kinit Errors:
kinit (v5): Clock skew too great while getting initial credentials
This means that our machine is not synchronized time with the domain controller.
kinit (v5): Preauthentication failed while getting initial credentials
An invalid password has been entered.
kinit (v5): KDC reply did not match expectations while getting initial credentials
Most likely, it is worth checking the krb5.conf file and making sure that the realm and domain in the kinit command were specified in upper case.
kinit (v5): Client not found in Kerberos database while getting initial credentials
There is no user in the domain.
Configuring Samba and Entering the Machine to the Domain
1. To enter the domain, you need to properly configure Samba. Settings are stored in /etc/samba/smb.conf:
[global] dos charset = cp866 unix charset = KOI8-R workgroup = EXAMPLE () realm = EXAMPLE.RU () server string = SQUID-PROXY security = ADS auth methods = winbind allow trusted domains = No password server = * log level = 1 log file = /var/log/samba/samba.%m max log size = 50 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 0 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no winbind use default domain = Yes strict locking = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes encrypt passwords = yes 2. Check the configuration:
# testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions 3. Edit the /etc/nsswitch.conf file as follows:
#cat /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis 4. After editing /etc/samba/smb.conf, restart Samba and Winbind:
# /etc/init.d/winbind stop && /etc/init.d/samba restart && /etc/init.d/winbind start 5. Enter the machine in the domain:
# net ads join -U test_user -D EXAMPLE .RU Enter test_user's password: Using short domain name -- EXAMPLE Joined 'Multiproxy' to realm 'EXAMPLE ' 6. Check if Samba sees users and groups of the domain
# wbinfo -u # wbinfo -g Installing and configuring SQUID 3
1. Install the SQUID 3 package:
# apt-get install squid3 2. Configure the SQUID using the /etc/squid3/squid.conf file:
<listen_ip> - IP- <listen_port> - <acl_name> - <outgoing_ip> - IP- http_port <listen_ip>:<listen_port> http_port <listen_ip>:<listen_port> cache_access_log /var/log/squid3/access.log acl localhost src 127.0.0.1/32 acl god_mode src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # NTLM auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive off acl AuthorizedUsers proxy_auth REQUIRED acl <acl_name> myport <listen_port> tcp_outgoing_address <outgoing_ip> <acl_name> http_access allow localhost http_access deny !Safe_ports http_access allow all AuthorizedUsers http_access deny all icp_access deny all cache_mgr test_user@EXAMPLE.RU visible_hostname MultiProxy Routing Setup
1. Create a routing table, add new tables to / etc / iproute2 / rt_tables, the number is taken from the head, but not duplicated:
257 <table_name2> 256 <table_name1> 2. Add rules for our tables:
ip route add 192.168.1.0/24 dev eth0 proto kernel scope link src <local_ip> table table_name1 ip route add default gw <gateway_ip1> table table_name1 ip route add 192.168.1.0/24 dev eth0 proto kernel scope link src <local_ip> table table_name2 ip route add default gw <gateway_ip2> table table_name2 ip rule add from xxx.xxx.xxx.xx1 table table_name1 ip rule add from xxx.xxx.xxx.xx2 table table_name2 ip route flush cache Source: https://habr.com/ru/post/265213/
All Articles