Beruflich Dokumente
Kultur Dokumente
http://wiki.squid-cache.org/CongExamples/Auth...
Basic Concepts
In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an Windows Active Directory. The server will be joined to the Active Directory domain and other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this document.) Windows 2003 Active Directory is also capable of LDAP authentication
Environment
Windows Server 2003 AD Ubuntu Dapper installation Squid-2.6 Kerberos 5 Samba + Winbind NTP server running on AD controller
Packages to install
1 de 6
26-07-2011 12:44
CongExamples/Authenticate/WindowsActiveDir...
http://wiki.squid-cache.org/CongExamples/Auth...
samba (3) ntp-server (Kerberos requires time-synchronised machines) krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries) winbind
Files to modify
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/ksadmind.log [libdefaults] default_realm = DOMAIN.COM.AU. dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] DOMAIN.COM.AU = { kdc = ad-master.domain.com.au.:88 admin_server = ad-master.domain.com.au.:749 default_domain = domain. } [domain_realm] .domain. = DOMAIN.COM.AU. domain. = DOMAIN.COM.AU. [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/samba.smb.conf
2 de 6
26-07-2011 12:44
CongExamples/Authenticate/WindowsActiveDir...
http://wiki.squid-cache.org/CongExamples/Auth...
[global] netbios name = SERVERNAME workgroup = DOMAIN realm = DOMAIN.COM.AU server string = Domain Proxy Server encrypt passwords = yes security = ADS password server = ad-master.domain.com.au log level = 3 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap preferred master = No dns proxy = No ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes cups options = raw
/var/kerberos/krb5kdc/kdc.conf
[kdcdfefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = noreauth [libdefaults] default_realm = DOMAIN. [realms] DOMAIN. = { master_key_type = des-cbc-crc supported_enctypes = des3-hmac-sha1:normal arcfourhmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }
/var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
3 de 6
26-07-2011 12:44
CongExamples/Authenticate/WindowsActiveDir...
http://wiki.squid-cache.org/CongExamples/Auth...
time source as the AD server is. You must do this step or random authentication failures will occur!
eg
kinit chadda@DOMAIN.COM.AU.
You may need to do this a couple of times - it may take a while and fail; so try it once again. Now, to do the actual join:
# net ads join -U <admin user>@<fulldomain>
eg
# net ads join -U chadda@DOMAIN.COM.AU.
This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain. Next, restart samba and winbind, ie
# /etc/init.d/samba restart # /etc/init.d/winbind restart
'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:
wbinfo -t wbinfo -u
will check whether the trust exists will list the users in the domain
ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this access by adding the security user Squid runs as to the winbindd_priv group.
gpasswd -a proxy winbindd_priv
Remove the cache_effective_group setting in squid.conf, if present. This setting causes squid to ignore the auxiliary winbindd_priv group membership. the default user Squid is bundled as nobody though some distribution packages are built with squid or proxy or other similar low-access user.
4 de 6
26-07-2011 12:44
CongExamples/Authenticate/WindowsActiveDir...
http://wiki.squid-cache.org/CongExamples/Auth...
Squid Configuration
As Samba-3.x has it's own authentication helper there is no need to build any of the Squid authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if you do). You do however need to enable support for the NTLM scheme if you plan on using this. Also you may want to use the wbinfo_group helper for group lookups
--enable-auth="ntlm,basic" --enable-external-acl-helpers="wbinfo_group"
The helper should return "OK" if given a valid username/password. + is the domain separator set in your smb.conf
squid.conf Settings
Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on # warning: basic authentication sends passwords plaintext # a network sniffer can and will discover passwords auth_param basic program /usr/local/bin/ntlm_auth --helperprotocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server
5 de 6
26-07-2011 12:44
http://wiki.squid-cache.org/CongExamples/Auth...
6 de 6
26-07-2011 12:44