{"id":186,"date":"2012-01-12T16:50:22","date_gmt":"2012-01-12T18:50:22","guid":{"rendered":"http:\/\/linuxrs.com.br\/?p=186"},"modified":"2012-01-12T16:50:22","modified_gmt":"2012-01-12T18:50:22","slug":"squid-autenticando-em-windows-2003-com-msnt_auth","status":"publish","type":"post","link":"https:\/\/blog.clusterweb.com.br\/?p=186","title":{"rendered":"Squid autenticando em Windows 2003 com msnt_auth"},"content":{"rendered":"\n\n\n
Configurando o msnt_auth<\/strong><\/p>\n\n\n\n\n\n\n\n
Primeiramente iremos configurar o msnt_auth<\/em>, que \u00e9 respons\u00e1vel pela autentica\u00e7\u00e3o dos usu\u00e1rios no Windows 2003.<\/p>\n

No diret\u00f3rio do Squid (\/etc\/squid\/) temos o arquivo msntauth.conf<\/em>, onde devemos inserir os nomes dos servidores 2003 e o nome do dom\u00ednio.<\/p>\n

Suponhamos que meus servidores estejam configurados da seguinte maneira:<\/p>\n

    \n
  • PDC = srv01 > 192.168.0.1<\/li>\n
  • BDC = srv02 > 192.168.0.2<\/li>\n
  • dom\u00ednio = meudominio<\/li>\n<\/ul>\n

    Deixe o conte\u00fado do msnauth.conf da forma como esta no exemplo abaixo, apenas alterando as informa\u00e7\u00f5es dos servidores.<\/p>\n

    OBS: Caso voc\u00ea tenha apenas 1 controlador de dom\u00ednio, informe o mesmo nome no BDC.<\/td>\n<\/tr>\n

\n
#################################################### # Sample MSNT authenticator configuration file # Antonino Iannella, Stellar-X Pty Ltd # Sun Sep 2 15:52:31 CST 2001 # NT hosts to use. Best to put their IP addresses in \/etc\/hosts.<\/span>\r\nserver my_PDC           my_BDC          my_NTdomain\r\nserver srv01 srv02 meudominio\r\n\r\n# Denied and allowed users. Comment these if not needed. #denyusers \/usr\/local\/squid\/etc\/msntauth.denyusers #allowusers \/usr\/local\/squid\/etc\/msntauth.allowusers ###################################################<\/span><\/pre>\n<\/td>\n<\/tr>\n
\nAp\u00f3s configurado o arquivo, coloque em \/etc\/hosts o nome e o ip dos servidores da seguinte forma:<\/td>\n<\/tr>\n
\n
# Do not remove the following line, or various programs # that require network functionality will fail.<\/span>\r\n127.0.0.1       firewall localhost.localdomain localhost\r\n192.168.0.1     srv01\r\n192.168.0.2     srv02<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
Configura\u00e7\u00e3o do Squid<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Agora devemos editar o arquivo squid.conf<\/em>. Devemos inserir as seguintes linhas:<\/td>\n<\/tr>\n
auth_param basic program \/usr\/lib\/squid\/msnt_auth
\nauth_param basic children 5
\nauth_param basic realm Proxy Cache Teste<\/td>\n<\/tr>\n
\nA \u00faltima linha pode ser alterada de acordo com sua prefer\u00eancia, pois \u00e9 a mensagem que o mesmo mostrar\u00e1 na tela onde dever\u00e1 ser informado usu\u00e1rio e senha.<\/p>\n

Ap\u00f3s criaremos 2 arquivos no diret\u00f3rio do Squid, “usuarios”, onde colocaremos os usu\u00e1rios que ter\u00e3o o acesso e no “usuarios-total” os usu\u00e1rios que n\u00e3o passaram por nenhuma restri\u00e7\u00e3o do proxy.<\/p>\n

Criando as acl’s de acesso no squid.conf:<\/td>\n<\/tr>\n

#usuarios-total<\/span>
\nacl user-total proxy_auth “\/etc\/squid\/usuarios-total”<\/p>\n

#usuarios<\/span>
\nacl users proxy_auth “\/etc\/squid\/usuarios”<\/td>\n<\/tr>\n

\nN\u00e3o devemos esquecer de criar a ACL de autentica\u00e7\u00e3o:<\/td>\n<\/tr>\n
acl autenticar proxy_auth REQUIRED<\/td>\n<\/tr>\n
\nAp\u00f3s isso \u00e9 s\u00f3 criar as acl’s de bloqueio normalmente e liberar a autentica\u00e7\u00e3o dos usu\u00e1rios como exemplo abaixo:<\/td>\n<\/tr>\n
http_access allow autenticar user-total
\nbloqueia o que for preciso
\nhttp_access allow autenticar user
\nhttp_access deny all<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
Exemplo de squid.conf<\/strong><\/p>\n\n\n\n\n
Estou disponibilizando aqui meu squid.conf<\/em> com alguns bloqueios por site, palavras, extens\u00f5es e msn.<\/td>\n<\/tr>\n
http_port 3128
\nvisible_hostname squid
\nacl QUERY urlpath_regex cgi-bin \\?<\/p>\n

cache_dir ufs \/var\/spool\/squid 2048 16 256
\ncache_mem 32 MB<\/p>\n

auth_param basic program \/usr\/lib\/squid\/msnt_auth
\nauth_param basic children 5
\nauth_param basic realm Proxy Cache Teste
\n#auth_param basic credentialsttl 10 hours<\/p>\n

#ACL PADRAO<\/span><\/p>\n

acl all src 0.0.0.0\/0.0.0.0
\nacl autenticar proxy_auth REQUIRED
\nacl manager proto cache_object
\nacl localhost src 127.0.0.1\/255.255.255.255
\nacl to_localhost dst 127.0.0.0\/8
\nacl SSL_ports port 443 563
\nacl Safe_ports port 80 # http<\/span>
\nacl Safe_ports port 21 # ftp<\/span>
\nacl Safe_ports port 443 563 # https, snews<\/span>
\nacl Safe_ports port 70 # gopher<\/span>
\nacl Safe_ports port 210 # wais<\/span>
\nacl Safe_ports port 1025-65535 # unregistered ports<\/span>
\nacl Safe_ports port 280 # http-mgmt<\/span>
\nacl Safe_ports port 488 # gss-http<\/span>
\nacl Safe_ports port 591 # filemaker<\/span>
\nacl Safe_ports port 777 # multiling http<\/span>
\nacl CONNECT method CONNECT<\/p>\n

#ACLS RISOTO<\/span><\/p>\n

#ACL liberados<\/span><\/p>\n

acl liberados url_regex “\/etc\/squid\/control\/liberados”<\/p>\n

#ACL acesso TI<\/span><\/p>\n

acl ti-usuarios proxy_auth “\/etc\/squid\/control\/ti\/usuarios”<\/p>\n

#ACL acesso DIRETORIA<\/span><\/p>\n

acl diretoria src “\/etc\/squid\/control\/diretoria\/usuarios”<\/p>\n

#ACL acesso Usuarios<\/span><\/p>\n

acl usuarios proxy_auth “\/etc\/squid\/control\/usuarios\/usuarios”
\nacl usuarios-msn proxy_auth “\/etc\/squid\/control\/usuarios\/usuarios-msn”
\nacl proibidos_usuarios url_regex “\/etc\/squid\/control\/usuarios\/proibidos”
\nacl palavras_usuarios url_regex -i “\/etc\/squid\/control\/usuarios\/palavras”
\nacl arquivos_usuarios urlpath_regex -i “\/etc\/squid\/control\/usuarios\/arquivos”<\/p>\n

#ACL acesso Gerencia<\/span><\/p>\n

acl gerencia proxy_auth “\/etc\/squid\/control\/gerencia\/usuarios”
\nacl proibidos_gerencia url_regex “\/etc\/squid\/control\/gerencia\/proibidos”
\nacl palavras_gerencia url_regex -i “\/etc\/squid\/control\/gerencia\/palavras”
\nacl arquivos_gerencia urlpath_regex -i “\/etc\/squid\/control\/gerencia\/arquivos”<\/p>\n

no_cache deny QUERY<\/p>\n

#sem msn<\/span>
\nacl bqmsn dstdomain passport.com
\nacl msnmessenger url_regex -i gateway.dll
\nacl msn req_mime_type -i ^application\/x-msn-messenger$<\/p>\n

#LIBERA\/BLOQUEIA ACESSO A NET<\/span><\/p>\n

http_access allow manager localhost
\nhttp_access deny manager
\nhttp_access deny !Safe_ports
\nhttp_access deny CONNECT !SSl_ports
\nhttp_access allow localhost<\/p>\n

http_access allow liberados
\nhttp_access allow diretoria
\nhttp_access allow autenticar ti-usuarios
\nhttp_access deny proibidos_gerencia
\nhttp_access deny palavras_gerencia
\nhttp_access deny arquivos_gerencia
\nhttp_access allow autenticar gerencia<\/p>\n

http_access deny proibidos_usuarios
\nhttp_access deny palavras_usuarios
\nhttp_access deny arquivos_usuarios<\/p>\n

http_access allow autenticar usuarios-msn<\/p>\n

http_access deny bqmsn
\nhttp_access deny msnmessenger
\nhttp_access deny msn<\/p>\n

http_access allow autenticar usuarios
\nhttp_access deny all<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Configurando o msnt_auth Primeiramente iremos configurar o msnt_auth, que \u00e9 respons\u00e1vel pela autentica\u00e7\u00e3o dos usu\u00e1rios no Windows 2003. No diret\u00f3rio do Squid (\/etc\/squid\/) temos o arquivo msntauth.conf, onde devemos inserir os nomes dos servidores 2003 e o nome do dom\u00ednio. Suponhamos que meus servidores estejam configurados da seguinte maneira: PDC = srv01 > 192.168.0.1 BDC […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1,51,85],"tags":[89,88,87,86,90],"class_list":["post-186","post","type-post","status-publish","format-standard","hentry","category-viazap","category-linux-linuxrs","category-proxy","tag-89","tag-autenticacao","tag-proxy-2","tag-squid","tag-windows-2003"],"_links":{"self":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=186"}],"version-history":[{"count":2,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/186\/revisions"}],"predecessor-version":[{"id":188,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/186\/revisions\/188"}],"wp:attachment":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}