[squid-users] Squid + AD + Kerb auth question

Markus Moeller huaraz at moeller.plus.com
Wed Mar 18 23:20:55 UTC 2015


  From which network do you surf ?  From localnet ? 

  Can you send sample log entries ?


From: Joao Paulo Monticelli Gaspar 
Sent: Wednesday, March 18, 2015 9:18 PM
To: Markus Moeller 
Subject: Re: [squid-users] Squid + AD + Kerb auth question


visible_hostname proxy.joznet.local

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours

acl ad_auth proxy_auth REQUIRED

acl manager proto cache_object
acl localhost src ::1
acl to_localhost dst ::1

acl localnet src # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost
http_access allow ad_auth
http_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = JOZNET.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

; for Windows 2008 with AES

;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

; for MIT/Heimdal kdc no need to restrict encryption type

  kdc = srvjoznt.joznet.local:88
  admin_server = srvjoznt.joznet.local:749
  default_domain = joznet.local 

.joznet.local= JOZNET.LOCAL
joznet.local= JOZNET.LOCAL

debuf = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:

  How does the config file look like ?  


  "Joao Paulo Monticelli Gaspar" <jaumshock at gmail.com> wrote in message news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg at mail.gmail.com...
  Hey people 

  I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites...

  is possible to show that info with this setup, or by any other setup use maintain the SOO?

  Thx in advance.

  squid-users mailing list
  squid-users at lists.squid-cache.org

  squid-users mailing list
  squid-users at lists.squid-cache.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150318/d1e5b00b/attachment.html>

More information about the squid-users mailing list