[squid-users] Squid + AD + Kerb auth question
Markus Moeller
huaraz at moeller.plus.com
Wed Mar 18 23:20:55 UTC 2015
Hi,
From which network do you surf ? From localnet ?
Can you send sample log entries ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Wednesday, March 18, 2015 9:18 PM
To: Markus Moeller
Subject: Re: [squid-users] Squid + AD + Kerb auth question
squid.conf
visible_hostname proxy.joznet.local
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
acl ad_auth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow ad_auth
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
****************************************************************************************
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = JOZNET.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; for MIT/Heimdal kdc no need to restrict encryption type
[realms]
JOZNET.LOCAL = {
kdc = srvjoznt.joznet.local:88
admin_server = srvjoznt.joznet.local:749
default_domain = joznet.local
}
[domain_realm]
.joznet.local= JOZNET.LOCAL
joznet.local= JOZNET.LOCAL
[pam]
debuf = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:
How does the config file look like ?
Markus
"Joao Paulo Monticelli Gaspar" <jaumshock at gmail.com> wrote in message news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg at mail.gmail.com...
Hey people
I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites...
is possible to show that info with this setup, or by any other setup use maintain the SOO?
Thx in advance.
------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150318/d1e5b00b/attachment.html>
More information about the squid-users
mailing list