Le but de cette configuration est qu'un user connecté à un windows dans un domaine puisse utiliser le proxy d une machine linux en s'authentifiant automatiquement avec son compte windows AD Toutes les configurations sont à faire sur la machine linux qui porte le squid et le proxy et la mécanisme qui interroge l'AD

Pre requis[modifier]

yum install sssd-tools realmd squid samba-common.noarch samba-common-tools samba-winbind samba-winbind-clients krb5-workstation sssd-ad sssd sssd-common sssd-client sssd-krb5-common sssd-krb5

Création et opérations sur le ".keytab".[modifier]

Sur srv78dc01.csn-interne.fr :

cmd ou powershellcmd ( en admin du comaine ) => cd <le répertoire souhaité>, puis

ktpass -out srv78squid01b.csn-interne.fr.keytab -mapUser squid@CSN-INTERNE.FR +rndPass -mapOp set +DumpSalt -crypto ALL -ptype KRB5_NT_PRINCIPAL -princ HTTP/srv78squid01b.csn-interne.fr@CSN-INTERNE.FR

ensuite, rapatrier le srv78squid01b.csn-interne.fr.keytab sur le serveur srv78squid01b.csn-interne.fr (Ma technique perso pour les nouveaux arrivants: copier/coller sur votre desktop du rdsh puis via putty click droit "upload to CWD" pour ramener le fichier sur le serveur ) et le mettre dans le dossier /etc/squid/ .

Puis on duplique ensuite les entrées du keytab dans la keytab par default de krb5 et reciproquement. ( mieux pour quand faut debug )

ktutil  
read_kt /etc/krb5.keytab 
read_kt /etc/squid/srv78squid01b.csn-interne.fr.keytab 
write_kt /etc/krb5.keytab 
write_kt /etc/squid/srv78squid01b.csn-interne.fr.keytab

Fichiers system non standards Agarik[modifier]

/!\ Les modifications sont indispensables sinon ça marche pas. /!\

/etc/hosts[modifier]

127.0.0.1   localhost localhost.localdomain srv78squid01b.csn-interne.fr srv78squid01  
::1         localhost6 localhost6.localdomain6 
# BEGIN ANSIBLE MANAGED BLOCK 
192.168.26.15       ntp1.agarik.com 
172.26.0.15       ntp2.agarik.com 
# END ANSIBLE MANAGED BLOCK 
10.252.42.27      supervision.agarik.com 
# Necessaire a squid 
172.30.102.33   svr78dc01.csn-interne.fr 
svr78dc01 10.1.2.1        svr75dc01.csn-interne.fr

/etc/resolv.conf[modifier]

# Generated by NetworkManager
  search csn-interne.fr
 nameserver 172.30.102.33
 nameserver 10.1.2.1

/etc/chrony.conf[modifier]

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#pool 2.rhel.pool.ntp.org iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking
# BEGIN ANSIBLE MANAGED BLOCK
pool svr78dc01.csn-interne.fr iburst
# END ANSIBLE MANAGED BLOCK

Finalisation - Instalation de Squid et des autres[modifier]

Récupérer ( mais /!\ Ne pas l'installer, mais on a juste besoin d'un fichier dedans /!\ ) sur le net rpm squid-helpers-4.1-5.el7.centos.x86_64.rpm et le placer dans le repertoire /root/install

Extraire les fichiers du rpm puis récupérer celui qu'il nous faut

cd /root/install && rpm2cpio ./squid-helpers-4.1-5.el7.centos.x86_64.rpm | cpio -idmv

cp /root/install/usr/lib64/squid/negotiate_wrapper_auth /usr/lib64/squid/

Une dépendance a changé de nom, il faut créer un lien symbolique.

ln -s /usr/lib64/libnsl.so.2 /lib64/libnsl.so.1

/etc/squid/squid.conf[modifier]

#
# Recommended minimum configuration:
#
#Authentification automatique via Kerberos

auth_param negotiate program /usr/bin/sg wbpriv -c "/usr/lib64/squid/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth -i --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=CSN-INTERNE.FR --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -k /etc/squid/srv78squid01b.csn-interne.fr.keytab -s HTTP/srv78squid01b.csn-interne.fr@CSN-INTERNE.FR"
auth_param negotiate children 20 startup=20
auth_param negotiate keep_alive off

# Authentification LDAP pour ceux qui ne sont pas en Kerberos
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=csn-interne,dc=fr" -D "cn=squidLDAP,ou=Applicatif,ou=Utilisateurs - Service,ou=CSNStandard,dc=csn-interne,dc=fr" -W /etc/squid/ldap_passwd.txt -f "sAMAccountName=%s" -h svr78dc01.csn-interne.fr -v 3

acl authenticated_user proxy_auth REQUIRED

http_access deny !authenticated_user

logformat timereadable %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log timereadable
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

/etc/krb5.conf[modifier]

[logging]
        Default = FILE:/var/log/krb5.log
[libdefaults]
        default_realm = CSN-INTERNE.FR
        clock_skew = 300
        ticket_lifetime = 24000
        default_tkt_enctypes = arcfour-hmac
        permitted_enctypes   = des-cbc-crc des-cbc-md5 arcfour-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac arcfour-hmac-md5
        rdns = false
        udp_preference_limit = 0
        dns_lookup_realm = true
        dns_lookup_kdc = true
        forwardable = yes
[realms]
        CSN-INTERNE.FR = {
                kdc = svr78dc01.csn-interne.fr
                admin_server = svr78dc01.csn-interne.fr
                default_domain = CSN-INTERNE.FR
                }
[domain_realm]
        .csn-interne.fr = CSN-INTERNE.FR
        csn-interne.fr = CSN-INTERNE.FR

/etc/samba/smb.conf[modifier]

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
   workgroup = CSN-INTERNE
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   password server = SRV78DC01.CSN-INTERNE.FR
   realm = CSN-INTERNE.FR
   security = ads

/usr/lib/realmd/realmd-defaults.conf[modifier]

# Default values for realmd
[service]
debug = no
automatic-install = yes

[paths]
net = /usr/bin/net
winbindd = /usr/sbin/winbindd
smb.conf = /etc/samba/smb.conf
sssd.conf = /etc/sssd/sssd.conf
adcli = /usr/sbin/adcli
ipa-client-install = /usr/sbin/ipa-client-install
pam_winbind.conf = /etc/security/pam_winbind.conf
krb5.conf = /etc/krb5.conf

[active-directory]
default-client = sssd
os-name =
os-version =

[providers]
sssd = yes
samba = yes
example = no

[samba-packages]

[winbind-packages]

[sssd-packages]

[adcli-packages]

[commands]

[users]
default-shell = /bin/bash
default-home = /home/%U@%D

[example.com]
example-administrator = Administrator
example-password = bureaucracy

/etc/sssd/sssd.conf[modifier]

[sssd]
domains = csn-interne.fr
config_file_version = 2
services = nss, pam


[domain/csn-interne.fr]
id_provider = ad
ad_domain = csn-interne.fr
realmd_tags = manages-system joined-with-samba
cache_credentials = True
ldap_id_mapping = True
auth_provider = krb5
krb5_server = svr78dc01.csn-interne.fr
krb5_realm = CSN-INTERNE.FR
krb5_store_password_if_offline = True
access_provider = simple

Apres faut joindre la machine au domaine.

net ads join -U admin-agarik

(Le compte est renseigné dans la fiche AO de srv78dc01.csn-interne.fr )

Les services qui doivent tourner et leurs roles[modifier]

- squid => le service de proxy. 

systemctl enable squid.service

- sssd/realmd/winbind => sssd est le service qui fait le mapping pour squid aupres de l'AD ( il l'interroge en LDAP/AD grace au compte de service à la keytab indiqué dans la conf de squid pour connaitre la correspondance "Ticket kerberos" <=> "Nom d'utilisateur". Pour faire ça il utilise comme outil kerberos client et le service winbind pour interroger l'AD. Le service Winbind utilise la configuration de realmd ( samba ) pour trouver le nom de domaine , le DC, etc ....

systemctl enable sssd.service systemctl enable realmd.service systemctl enable winbind.service

Ajout de SquidGuard ( + mise en place d'un page de redirection pour les sites bloqués en http )[modifier]

yum install squidGuard httpd cd /var/squidGuard/ && tar -xzvf blacklists.tar.gz

- fichier /etc/squid/squidGuard.conf

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/squidGuard
logdir /var/log/squidGuard

dest adult {
        domainlist      blacklists/porn/domains
        urllist         blacklists/porn/urls
}

dest drugs {
        domainlist      blacklists/drugs/domains
        urllist         blacklists/drugs/urls
}

dest warez {
        domainlist      blacklists/warez/domains
        urllist         blacklists/warez/urls
}

dest spyware {
        domainlist      blacklists/spyware/domains
        urllist         blacklists/spyware/urls
}

dest suspect {
        domainlist      blacklists/suspect/domains
        urllist         blacklists/suspect/urls
}

dest hacking {
        domainlist      blacklists/hacking/domains
        urllist         blacklists/hacking/urls
}

acl {

        default {
                pass     !adult !drugs !warez !spyware !suspect !hacking any
                redirect  http://172.30.104.195/access-denied.html?site=%u
        }
}