Цель лабораторной работы - выпускать доменных пользователей "наружу" через SQUID с прозрачной аутентификацией по GSSAPI.
apt install squid
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d
acl labnet proxy_auth REQUIRED
http_access allow labnet
kinit Administrator
net ads keytab add_update_ads HTTP -k
net ads setspn list gwX
klist -ek /etc/krb5.keytab
chmod +r /etc/krb5.keytab
systemctl restart squid
tail -f /var/log/squid/access.log
[global]
...
winbind use default domain = Yes
winbind expand groups = 1
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 36
idmap config * : range = 20000-40000
template homedir = /home/%U
template shell = /bin/sh
obey pam restrictions = yes
[homes]
read only = no
valid users = %S
[public]
path = /public
valid users = @LAB\publicgroup
read only = no
force user = <укажите_пользователя>
mkdir /public
chown <укажите_пользователя> /public
...
session optional pam_mkhomedir.so
...
passwd: files systemd winbind
group: files systemd winbind
...