Step By Step Configuration
Step-1
Please check whether the following packages have been installed:
krb5-libs
krb5-workstation
samba-client
samba
samba-common
squid
krb5-workstation
samba-client
samba
samba-common
squid
Step-2
The
Squid server must time synchronise against the AD clock. Configuring
ntpd to sync against the same time source as the AD server.
In Linux Server
ntpdate pool.ntp.orgAnd them, the windows:
C:\> net time /setsntp:pool.ntp.org
C:\> net stop w32time & net start w32time
Step-3
Now edit /etc/nsswitch.conf, and modify this lines.
vi /etc/nsswitch.conf
passwd: compat
vi /etc/nsswitch.conf
passwd: compat
group: compat
.to this.
.to this.
passwd: compat winbind
group: compat winbind
Step-4
( Resolve all possible ) 192.168.0.58 is linux server and 192.168.0.250 is Windows Active Directory Server
# vi /etc/hosts
Modify as required .. here kvit.in is domain name in AD Server and /etc/resolv.conf ( name server 192.168.0.250)
# vi /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.0.58 linux.kvit.in LINUX LINUX.KVIT.IN
192.168.0.250 WIN-UHEVJCB6YZM.kvit.in win-uhevjcb6yzm.kvit.in
192.168.0.250 kvit.in KVIT KVIT.IN
Modify as required .. here kvit.in is domain name in AD Server and /etc/resolv.conf ( name server 192.168.0.250)
Step-5
Modify /etc/krb5.conf as follows.
Note: Please use the correct domain for the enviroment to replace KVIT.IN and example.com and the correct AD server name for the enviroment to replace win-uhevjcb6yzm.kvit.in
# vi /etc/krb5.conf
Note: Please use the correct domain for the enviroment to replace KVIT.IN and example.com and the correct AD server name for the enviroment to replace win-uhevjcb6yzm.kvit.in
# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = KVIT.IN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
KVIT.IN = {
kdc = win-uhevjcb6yzm.kvit.in:88
admin_server = win-uhevjcb6yzm.kvit.in:749
default_domain = kvit.in
}
[domain_realm]
.kvit.in = KVIT.IN
kvit.in = KVIT.IN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step-6
Modify
/etc/samba/smb.conf as follows. Note: please use the correct domain for
the enviroment to replace KVIT and the correct AD Server name for the
enviroment to replace win-uhevjcb6yzm.kvit.in.
[global]
workgroup = KVIT
netbios name = linux
server string = Samba Server
hosts allow = 192.168.0. 127.
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = win-uhevjcb6yzm.kvit.in
realm=KVIT.IN
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes
Step-7
Make sure that the smb and winbind services have been stoped.
service smb stop
service winbind stop
service smb stop
service winbind stop
Step-7
Join the server to the AD domain.
for example:
This may need to be done a couple of times as it may take a while and fail. If this happens, try again.
Now, to do the actual join:
for example:
kinit
for example:
kinit Administrator
This may need to be done a couple of times as it may take a while and fail. If this happens, try again.
Now, to do the actual join:
net ads join -U
for example:
net ads join -U Administrator
Step-8
This
will also take some time and may need to be repeated. It should
eventually tell you that the server successfully joined the domain.
Restart the smb and winbind services.
service smb start
service winbind start
Step-9
This
will also take some time and may need to be repeated. It should
eventually tell you that the server successfully joined the domain.
Restart the smb and winbind services.
Now, to check whether winbind has successfully negotiated and joined the network:
service smb start
service winbind start
Now, to check whether winbind has successfully negotiated and joined the network:
wbinfo -t
wbinfo -u
Step-10
Configure Squid to use the Samba3 ntlm_auth program for authentication. Modify /etc/squid/squid.conf as follows:
#vi /etc/squid.conf
Start the squid service.
#vi /etc/squid.conf
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl lcl src 192.168.0.0/16
acl auth proxy_auth REQUIRED
http_access allow auth
http_access deny all
Start the squid service.
service squid start
Post a Comment