備忘録/にわかエンジニアが好きなように書く

個人的にとりあえず仕組みを知るためにとりあえず動くまで構築や動作をみただけの単なる操作ログです。個人用の備忘録となり、最新の導入手順は個別に確認してください。 ※変な内容や間違いを書いているなどありましたらコメントやご指摘いただけると幸いです。

squidを使ったKerberos+AD連携で SSOの環境構築

概要

シングルサインオンを使用してインターネット接続用Proxyサーバーを構築し、ユーザ毎にアクセスログを残すことができるようにする。

 ・シングルドメイン内のユーザは、kerberosのSSOの仕組みを利用しADと連携を行う

 ・クラウアントに認証の有無に意識させることがない環境

 ・ドメイン不参加のユーザは認証失敗となりProxy経由した通信を行えない。

 

※使ってみると、いろいろと認証関連の設定やAD側との連携設定は改善が必要となりそうだけど、設定方法が分からない(教えてほしい)。

未対応の動作

 ・特定グループや特定ユーザ、特定URLなどを個別条件としてアクセス制御

 ・認証なしで無条件で通信許可

 ・ユーザのアカウントロック有無などでのアクセス可否も考慮していない

    ※今回の設定では、ADで明示的にアカウンロックしたユーザやパスワードミスでロックされたユーザで接続(ログイン)しているユーザでもアクセスは可能だった

    →グループポリシのKerberosの有効時間かキャッシュが問題?

 ・拡張ACLの対応

 ・マルチドメイン化への対応 (できるのか?)

改善必要個所

 ・無通状態が数日続くと、認証機能?が無くなり接続できなくなった。kerberos認証関連で追加設定が必要なのか?(ADから抜けて(realm leave)からrealm joinする必要があった)

  Accessログは出力されるのでProxyとしては問題ないのか??

 ・kerberos認証の設定値やルールは検討が必要(ADでアカウント無効やロック時に通信不可にしたい)

前提

・ADドメイン環境があること

・ドメイン参加済みのクライアント端末があること

・DNSサーバでProxyサーバの名前解決が可能である

簡易構成

f:id:pocket01:20200320124509p:plain

環境概要

Domain = my.home
サブネット= 172.16.100.0/24

プロキシサーバー
 OS = CentOS 7.5
 squid 3.5.20
 IP = 172.16.100.190
 HOSTNAME = squid2.my.home
 Kerberosコンピューター名= squid2

AD(Windows Server 2016) ※DNS,NTPサーバも兼ねる
 IP = 172.16.100.100
 HOSTNAME = ad.my.home

クライアント(windows 10 )

   ドメインユーザ = test01  
 IP = 172.16.100.41

手順

各種パッケージのインストール

# yum install -y squid \
# krb5-workstation pam_krb5 krb5-libs \
# samba samba-winbind samba-common samba-winbind-clients samba-common-tools samba-winbind-krb5-locator \
# realmd oddjob-mkhomedir sssd

 ※不要なものも含んでいるかも

AD連携用の設定

ProxyサーバをAD登録(管理下コンピューターとして登録)
[root@proxy2 ~]# realm join --client-software=winbind MY.HOME
Administrator に対するパスワード:
[root@proxy2 ~]# realm discover my.home
my.home
type: kerberos
realm-name: MY.HOME
domain-name: my.home
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: MY\%U
login-policy: allow-any-login
[root@proxy2 ~]#
winbind , smb の サービス起動
# systemctl start winbind
# systemctl enable winbind
# systemctl status winbind
# systemctl start smb
# systemctl enable smb
# systemctl status smb 
kerberos チケット取得確認 
[root@proxy2 ~]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
[root@proxy2 ~]#
[root@proxy2 ~]# kinit administrator@MY.HOME
Password for administrator@MY.HOME:        ←パスワード入力
[root@proxy2 ~]#
[root@proxy2 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@MY.HOME

Valid starting Expires Service principal
2020-03-09T23:23:09 2020-03-10T09:23:09 krbtgt/MY.HOME@MY.HOME
renew until 2020-03-16T23:23:06
[root@proxy2 ~]#
# wbinfo --all-domains
BUILTIN
PROXY2
MY
smb.confの修正

/etc/samba/smb.conf の内容を修正

[homes],[printers],[print$]の内容は削除し、[global]のみの設定とする。

# cat /etc/samba/smb.conf
[global]
kerberos method = system keytab
template homedir = /home/%U@%D
workgroup = MY
template shell = /bin/bash
security = ads
realm = MY.HOME
idmap config * : range = 10000-999999
idmap config * : backend = tdb
idmap config MY : backend = ad
idmap config MY : range = 2000000-2999999
idmap config MY : schema_mode = rfc2307
idmap config MY : unix_nss_info = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
/etc/krb5.confの修正

/etc/krb5.conf の内容を修正

# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

[plugins]
localauth = {
module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
enable_only = winbind
}
keytab作成
※作成
# kinit administrator@MY.HOME
Password for administrator@MY.HOME:
# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
# net ads keytab CREATE
# net ads keytab ADD HTTP

※権限変更
# ls -alt /etc/squid/HTTP.keytab
-rw------- 1 root root 1607 3月 9 23:30 /etc/squid/HTTP.keytab
# chgrp squid /etc/squid/HTTP.keytab
# chmod g+r /etc/squid/HTTP.keytab
# ls -alt /etc/squid/HTTP.keytab
-rw-r----- 1 root squid 1607 3月 9 23:30 /etc/squid/HTTP.keytab
#

squid設定

/etc/squid/squid.conf編集

認証用設定とログフォーマットの設定を追加(赤字の個所)する。

※SSO関連で影響なさそうな設定はほぼ初期状態の適当です。

[root@proxy2 ~]# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/proxy2.my.home@MY.HOME
auth_param negotiate children 10
auth_param negotiate keep_alive on

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
# http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
# http_access allow localnet
# http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

#LOGformat指定
logformat customlog "time=%{%Y/%m/%d %H:%M:%S}tl","un=%un","credentials=%credentials","host=%>la","src_ip=%>a","src_port=%>p","dest_ip=%<a","dest_port=%<p","url=%ru","status=%>Hs","http_method=%rm","referer=%{Referer}>h","user=%ui","duration=%tr","dt=%dt","uri_path=%>rp","byte_in=%<st","byte_out=%>st","http_user_agent=%{User-Agent}>h","content_type=%mt","action=%Ss","product=squid"
access_log /var/log/squid/access.log customlog
 ※squid設定について
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k <HTTP.keytabのfile Path> -s HTTP/<proxyの名前+domain名>@<domain名>
”negotiate_kerberos_auth”はsquidバージョンによって異なります。

ログフォーマットについて

time %{%Y/%m/%d %H:%M:%S}tl 時間
un %un 認証ユーザ情報
credentials %credentials 認証方法
host %>la Proxyのアドレス
src_ip %>a 送信元IP
src_port %>p 送信元ポート番号
dest_ip %<a 宛先IP
dest_port %<p 宛先ポート番号
url %ru URL
status %>Hs ステータスコード (200 ,403,407など
http_method %rm メソッゾ (GET ,connect など
referer %{Referer}>h リファラー
user %ui (ident)ユーザー名
duration %tr 応答時間
dt %dt DNSルックアップに費やした合計時間
uri_path %>rp ホスト名を除くリクエストURLパス
byte_in %<st クライアントに送信された応答の合計サイズ
byte_out %>st クライアントから受信したリクエストの合計サイズ
http_user_agent %{User-Agent}>h エージェント情報
content_type %mt MIMEコンテンツタイプ
action %Ss Squidリクエストのステータス(TCP_MISSなど)
product squid ソフト名
squid起動設定確認
# cat /etc/sysconfig/squid
-- ここから --
# default squid options
SQUID_OPTS="

# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100

# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"
-- ここまで --
squid.confの正常性確認

編集した構成ファイルの正常性を確認できます。

# squid -k parse
squid起動

squid.confの正常性が確認できた場合は起動させる。

# systemctl start squid
# systemctl status squid
# systemctl enable squid

 

アクセス確認

SSOの動作確認

クライアントのプロキシ設定を行う。(FQDNで入力すること)

f:id:pocket01:20200320183825p:plain

ドメイン参加しているクライアントのブラウザからアクセスし、ユーザ名とパスワードを入力する認証画面が表示されないことを確認する。

HTTPアクセス負荷をかけたときやAD連携している間で遅延が発生した際の挙動はよくわかりません。 

アクセスログ確認

/var/log/squid/access.logを確認すると以下のような感じで確認ができた。

 -ドメイン内端末からはユーザ情報が表示されていること

 -ユーザ情報を含まないログが status = 407 で認証エラーとなっている

 -HTTPSはCONNECTでファイルパスが表示されない

 -HTTPはGETでファイルパスが表示される

"time=2020/03/18 23:29:59","un=-","credentials=-","host=172.16.100.190","src_ip=172.16.100.41","src_port=63437","dest_ip=-","dest_port=-","url=smartscreen-prod.microsoft.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=1","dt=-","uri_path=-","byte_in=4037","byte_out=164","http_user_agent=-","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/18 23:29:59","un=test01@MY.HOME","credentials=KK (null)\n","host=172.16.100.190","src_ip=172.16.100.41","src_port=63437","dest_ip=13.67.116.41","dest_port=443","url=smartscreen-prod.microsoft.com:443","status=200","http_method=CONNECT","referer=-","user=-","duration=597","dt=55","uri_path=-","byte_in=7735","byte_out=2213","http_user_agent=-","content_type=-","action=TCP_TUNNEL","product=squid"
"time=2020/03/18 23:29:59","un=-","credentials=-","host=172.16.100.190","src_ip=172.16.100.41","src_port=63447","dest_ip=-","dest_port=-","url=smartscreen-prod.microsoft.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=0","dt=-","uri_path=-","byte_in=4037","byte_out=164","http_user_agent=-","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/18 23:30:00","un=test01@MY.HOME","credentials=KK (null)\n","host=172.16.100.190","src_ip=172.16.100.41","src_port=63447","dest_ip=13.67.116.41","dest_port=443","url=smartscreen-prod.microsoft.com:443","status=200","http_method=CONNECT","referer=-","user=-","duration=419","dt=-","uri_path=-","byte_in=7394","byte_out=2213","http_user_agent=-","content_type=-","action=TCP_TUNNEL","product=squid"
"time=2020/03/18 23:30:59","un=-","credentials=-","host=172.16.100.190","src_ip=172.16.100.41","src_port=64039","dest_ip=-","dest_port=-","url=http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?","status=407","http_method=GET","referer=-","user=-","duration=0","dt=-","uri_path=/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?f8234","byte_in=4387","byte_out=318","http_user_agent=Microsoft-CryptoAPI/10.0","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/18 23:30:59","un=test01@MY.HOME","credentials=KK (null)\n","host=172.16.100.190","src_ip=172.16.100.41","src_port=64039","dest_ip=8.255.43.254","dest_port=80","url=http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?","status=304","http_method=GET","referer=-","user=-","duration=109","dt=49","uri_path=/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?f882","byte_in=450","byte_out=2367","http_user_agent=Microsoft-CryptoAPI/10.0","content_type=-","action=TCP_MISS","product=squid"
"time=2020/03/18 23:34:13","un=-","credentials=-","host=172.16.100.190","src_ip=172.16.100.41","src_port=49583","dest_ip=-","dest_port=-","url=settings-win.data.microsoft.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=0","dt=-","uri_path=-","byte_in=3950","byte_out=99","http_user_agent=-","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/18 23:34:36","un=-","credentials=-","host=172.16.100.190","src_ip=172.16.100.41","src_port=49817","dest_ip=-","dest_port=-","url=http://tile-service.weather.microsoft.com/ja-JP/livetile/preinstall?","status=407","http_method=GET","referer=-","user=-","duration=0","dt=-","uri_path=/ja-JP/livetile/preinstall?region=JP&appid=FE36&FORM=Threshold","byte_in=4217","byte_out=260","http_user_agent=Microsoft-WNS/10.0","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/18 23:34:36","un=test01@MY.HOME","credentials=KK (null)\n","host=172.16.100.190","src_ip=172.16.100.41","src_port=49817","dest_ip=23.42.67.62","dest_port=80","url=http://tile-service.weather.microsoft.com/ja-JP/livetile/preinstall?","status=200","http_method=GET","referer=-","user=-","duration=104","dt=40","uri_path=/ja-JP/livetile/preinstall?region=JP&appid=CE6&FORM=Threshold","byte_in=4736","byte_out=2309","http_user_agent=Microsoft-WNS/10.0","content_type=text/xml","action=TCP_MISS","product=squid""

青:ユーザ情報有  ,赤:ユーザ情報無

 

 ドメイン不参加端末からの接続した場合のアクセスログ

"time=2020/03/20 22:00:29","un=-","credentials=-","host=172.16.100.190","src_ip=192.168.255.2","src_port=37859","dest_ip=-","dest_port=-","url=mail.google.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=0","dt=-","uri_path=-","byte_in=4112","byte_out=221","http_user_agent=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/20 22:00:30","un=-","credentials=-","host=172.16.100.190","src_ip=192.168.255.2","src_port=37859","dest_ip=-","dest_port=-","url=mail.google.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=0","dt=-","uri_path=-","byte_in=4215","byte_out=310","http_user_agent=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/20 22:00:33","un=-","credentials=-","host=172.16.100.190","src_ip=192.168.255.2","src_port=37870","dest_ip=-","dest_port=-","url=mail.google.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=0","dt=-","uri_path=-","byte_in=4215","byte_out=310","http_user_agent=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko","content_type=text/html","action=TCP_DENIED","product=squid"
"time=2020/03/20 22:00:35","un=-","credentials=-","host=172.16.100.190","src_ip=192.168.255.2","src_port=37871","dest_ip=-","dest_port=-","url=mail.google.com:443","status=407","http_method=CONNECT","referer=-","user=-","duration=0","dt=-","uri_path=-","byte_in=4215","byte_out=310","http_user_agent=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko","content_type=text/html","action=TCP_DENIED","product=squid"

 

参考URL

・Configuring a Squid Server to authenticate from Kerberos

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos