Category Archives: Linux (debian)

Squid transparent AD authentication

This article describes how to make transparent squid authentication against active directory.
Prerequisite: your linux box has joined the domaine, see article: Debian active directory authentication

Just remember to check your DNS config in resolv.conf:

domain unknown.local
search unknown.local
nameserver 10.10.22.30
nameserver 10.10.22.100

Make a reverse check with

# dig -x <nameserver ip>

Ensute time is correct

# ntpdate <windows DC>

Generate keytab file:

# kinint administrateur
# msktutil -c -b "CN=COMPUTERS" -s HTTP/serverproxy.unknown.local -k /etc/the.keytab --computer-name serverproxy --upn HTTP/serverproxy.unknown.local --server dc.unknown.local --enctypes 28

keytab file must be readable from processes that will use it, for example squid.
In case of errors you can check if you got a ticket after kinit:

# klist

You can also check if the keytab was successfully generated with servers

# klist -k /etc/the.keytab

Ensure keytab is renewed, put in cron:

00 4  *   *   *     msktutil --auto-update --verbose --computer-name serverproxy | logger -t msktutil

Squid configuration:

### Authentification automatique via Kerberos
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/serverproxy.unknown.local@UNKNOWN.LOCAL
auth_param negotiate children 20 startup=30
auth_param negotiate keep_alive off

Include variables before starting squid, you can put it in /etc/profile

KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME

In the browser you must configure the proxy with it’s FQDN:

serverproxy.unknown.local

iproute2 multiple gateway

Workstation has ip 172.16.11.12 and gateway 172.16.11.254

Linux router has 4 nics with the following IP:
172.16.11.254 eth1
172.16.22.254 eth2
100.64.0.254 eth3
195.101.99.99 eth0
The default gw to reach internet is 195.101.99.99
Internet can also be reache through 100.64.0.254

All the traffic coming to the linux router uses the default gw 195.101.99.99 eth0 to reach internet.

Now we want to make an exception for workstation 172.16.11.12.
Instead of using 195.101.99.99 eth0 to go on internet we want to use now 100.64.0.254 eth3.

Add routing table 4G with priority 200:

echo 200 4G >> /etc/iproute2/rt_tables

Specify routes in this table, next hop of interface 100.64.0.254 wich is 100.64.0.1

ip route add 172.16.11.0/24 dev eth1 table 4G
ip route add 172.16.22.0/24 dev eth2 table 4G
ip route add default via 100.64.0.1 table 4G

Now specify the client (here 172.16.11.12) that will use these settings:

ip rule add from 172.16.11.12 table 4G

Debian java 8 setup

Java 8 setup (for ELK for example):

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

Activate this java version:

# show all java version installed
update-java-alternatives -l
 
# use one of the installation by default :
update-java-alternatives -s java-8-oracle