Unknown Unknown Author
Title: Windows Active Directory UserName/Password integration with SQUID: Part-5
Author: Unknown
Rating 5 of 5 Des:
Step By Step Configuration Step-1 Please check whether the following packages have been installed: krb5-libs krb5-...

Step By Step Configuration

Step-1

Please check whether the following packages have been installed: krb5-libs
krb5-workstation
samba-client
samba
samba-common
squid

Step-2

The Squid server must time synchronise against the AD clock. Configuring ntpd to sync against the same time source as the AD server. In Linux Server
ntpdate pool.ntp.org
And them, the windows:
C:\> net time /setsntp:pool.ntp.org
C:\> net stop w32time & net start w32time

Step-3

Now edit /etc/nsswitch.conf, and modify this lines.
vi /etc/nsswitch.conf

passwd: compat
group: compat


.to this.

passwd: compat winbind
group: compat winbind


SQUID with AD

 

 

Step-4

( Resolve all possible ) 192.168.0.58 is linux server and 192.168.0.250 is Windows Active Directory Server
# vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
192.168.0.58   linux.kvit.in LINUX LINUX.KVIT.IN
192.168.0.250   WIN-UHEVJCB6YZM.kvit.in win-uhevjcb6yzm.kvit.in
192.168.0.250   kvit.in KVIT KVIT.IN


Modify as required .. here kvit.in is domain name in AD Server and /etc/resolv.conf ( name server 192.168.0.250)

Step-5

Modify /etc/krb5.conf as follows.
Note: Please use the correct domain for the enviroment to replace KVIT.IN and example.com and the correct AD server name for the enviroment to replace win-uhevjcb6yzm.kvit.in


# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = KVIT.IN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
KVIT.IN = {
kdc = win-uhevjcb6yzm.kvit.in:88
admin_server = win-uhevjcb6yzm.kvit.in:749
default_domain = kvit.in
}

[domain_realm]
.kvit.in = KVIT.IN
kvit.in = KVIT.IN

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Step-6

Modify /etc/samba/smb.conf as follows. Note: please use the correct domain for the enviroment to replace KVIT and the correct AD Server name for the enviroment to replace win-uhevjcb6yzm.kvit.in.
[global]
workgroup = KVIT
netbios name = linux
server string = Samba Server
hosts allow = 192.168.0. 127.
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = win-uhevjcb6yzm.kvit.in
realm=KVIT.IN
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes

Step-7

Make sure that the smb and winbind services have been stoped.
service smb stop
service winbind stop

Step-7

Join the server to the AD domain.
kinit

for example:

kinit Administrator

This may need to be done a couple of times as it may take a while and fail. If this happens, try again.
Now, to do the actual join:

net ads join -U

for example:

net ads join -U Administrator

Step-8

This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain. Restart the smb and winbind services.
service smb start
service winbind start

Step-9

This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain. Restart the smb and winbind services.
service smb start
service winbind start

Now, to check whether winbind has successfully negotiated and joined the network:
wbinfo -t
wbinfo -u

Step-10

Configure Squid to use the Samba3 ntlm_auth program for authentication. Modify /etc/squid/squid.conf as follows:
#vi /etc/squid.conf
auth_param  ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl lcl src 192.168.0.0/16
acl auth proxy_auth REQUIRED
http_access allow auth
http_access deny all

Start the squid service.
service squid start



About Author

Advertisement

Post a Comment

 
Top