• Configuring a Squid Server to authenticate from Kerberos
• Configuring a Squid Server to authenticate off Active Directory
• Squid kerberos authentication and ldap authorization in Active Directory

Login: gatehttp
Password: Pa$$w0rd
Пароль не меняется и не устаревает

ИЛИ

New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false -CannotChangePassword $true -UserPrincipalName gatehttp@corpX.un -DisplayName  gatehttp -PasswordNeverExpires $true
Обязательно и DisplayName и UserPrincipalName указать

Название сервиса HTTP обязательно заглавными буквами

C:\>setspn -L gatehttp

C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab

C:\>setspn -L gatehttp

C:\>setspn -Q HTTP/gate.corpX.un

C:\>pscp gatehttp.keytab root@gate:

[server:~] # kadmin -l
kadmin> add -r HTTP/gate.corpX.un
kadmin> add -r HTTP/gate.CORPX.UN

kadmin> ext -k gatehttp.keytab HTTP/gate.corpX.un
kadmin> ext -k gatehttp.keytab HTTP/gate.CORPX.UN

kadmin> exit

root@server:~# kadmin.local
kadmin.local:  addprinc -randkey HTTP/gate.corpX.un
kadmin.local:  addprinc -e rc4-hmac:normal -randkey HTTP/gate.CORPX.UN

kadmin.local:  ktadd -k gatehttp.keytab HTTP/gate.corpX.un
kadmin.local:  ktadd -k gatehttp.keytab HTTP/gate.CORPX.UN

kadmin.local:  exit

• wiki.samba.org Generating Keytabs
• Squid + Samba4 AD Kerberos Authentication

server# samba-tool user create gatehttp 'Pa$$w0rd'

server# samba-tool user setexpiry gatehttp --noexpiry

server# samba-tool spn add HTTP/gate.corpX.un gatehttp

server# samba-tool spn list gatehttp

server# samba-tool domain exportkeytab gatehttp.keytab --principal=HTTP/gate.corpX.un

server# scp gatehttp.keytab gate:

• https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On
• Создание service principal

root@gate:~# ktutil
ktutil: rkt /root/gatehttp.keytab
ktutil: list
ktutil: wkt /etc/krb5.keytab
ktutil: quit

root@gate:~# klist -ek /etc/krb5.keytab

gate# chmod +r /etc/krb5.keytab

gate# ktutil copy /root/gatehttp.keytab /etc/krb5.keytab
gate# touch /etc/srvtab

gate# ktutil list

gate# cat /etc/squid/conf.d/my.conf

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d

acl inetuser proxy_auth REQUIRED

http_access allow inetuser

Аутентификация в режиме DOMAIN (Сервис WINBIND)

[gate:~] # chown root:squid /var/db/samba/winbindd_privileged/

или

[gate:~] # chown root:squid /var/db/samba34/winbindd_privileged/

или

[gate:~] # pw usermod squid -G wheel

root@gate:~# usermod -G winbindd_priv proxy

gate# cat squid.conf
...
# OPTIONS FOR AUTHENTICATION
...
# for linux uncomment
# auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

# for freebsd uncomment
# auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
...
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
...
acl inetuser proxy_auth REQUIRED
http_access allow inetuser
# http_access allow localnet

• Декодирование логинов/паролей http://base64.ru/

# cat /etc/squid/squid.conf

...
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
...

# mkdir /usr/etc/

# apt install apache2-utils

# touch /etc/squid/passwd

# htpasswd /etc/squid/passwd user1

# chmod u+s /usr/lib/squid/basic_pam_auth

# cat /etc/squid/squid.conf

...
auth_param basic program /usr/lib/squid/basic_pam_auth
...

Возможно, не обязательно

# cat /etc/pam.d/squid

auth       sufficient   pam_unix.so

# cat /etc/pam.d/squid

auth       sufficient   pam_radius_auth.so

# vim /etc/squid3/squid.conf

...
auth_param basic program /usr/lib/squid3/squid_radius_auth -h server.corpX.un -w testing123
...

# vim /etc/squid3/squid.conf

...
#http_access allow localnet
#http_access allow localhost
acl inetuser proxy_auth REQUIRED
http_access allow inetuser
...
http_port 127.0.0.1:3128
...

Источник