As a follow up, I may have missed one fine detail, so here is a
correction.
To make all this work you will also need to configure PAM to work with
Winbind for Authentication. Sorry for missing this step. Do'h!
You will need to add the following to your /etc/pam.d/login file. Mine
looks exactly like this:
#%PAM-1.0
#
#Winbind config
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
I'm pretty sure that's it this time..... :-)
-----Original Message-----
From: newsgroupie [mailto:newsgroupie@infomedia.com.au]
Sent: Thursday, 9 September 2004 2:23 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Integate squid and linux with Win 2003 AD in 10
steps
Hi,
I hope this post can be the be all and end all for those needing to use
true "STABLE" squid code suitable for production use. Because I see this
kind of question on lists so often so I would like to offer my
assistance.
The following is a known good and very heavily tested solution I have
had working for about 2 years that has never missed a beat with over 400
users. This solution will work in Win2000k AD, Win2003 AD in either non
native or native modes. (Also even NT4 too)
My instructions assume Red hat 7.3 and a reasonable bit of Linux/squid
knowledge. I apologize if this documentation is not perfect but for
those out there with more than a clue you should be able to follow this
guide and fill in any small blanks I may have missed. For the many the
most helpful bits might be are the extras you must add to both the
squid.conf and Samba.conf files to make it all come together.
Of course you will have to adjust these where appropriate for your
distro.
************************************************************************
****
STEP ONE
Copy Samba 2.2.8a source tarball to /usr/src/redhat/SOURCES
STEP TWO
Compile the squid 2.5 Stable 3 Source with the following options the
squid.spec file. This will configure and build Squid to include the
winbind helpers from Samba into itself.
--exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
--localstatedir=/var --sysconfdir=/etc/squid \
--enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" --enable-ssl \
--with-openssl=/usr/kerberos \
--enable-delay-pools --enable-linux-netfilter \
--with-pthreads \
--with-samba-source=/usr/src/redhat/SOURCES \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind,LDAP,NCSA,PAM,SMB,SASL,MSNT" \
--enable-ntlm-auth-helpers="SMB,winbind" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
p,winbind_group" \
STEP THREE
Build SAMBA 2.2.8a from Source RPM using the following entries in spec
file. This will configure Samba in a fairly generic Red Hat way but will
also include the Winbind helpers and the LDAP hack required to allow
Samba to talk to 2000/2003 Native mode AD
--prefix=%{prefix} \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--with-codepagedir=/etc/codepages \
--with-fhs \
--with-quotas \
--with-msdfs \
--with-smbmount \
--with-pam \
--with-winbind \
--with-winbind-auth-challenge \
--with-winbind-ldap-hack \
--with-pam-winbind \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=%{prefix}/share/swat/using_samba \
--with-swatdir=%{prefix}/share/swat \
--with-libsmbclient
STEP FOUR
Install Both the Squid and Samba RPM binaries
STEP FIVE
Change the following lines in your /etc/nnswitch.conf file to:
passwd: files winbind
shadow: files
group: files winbind
STEP SIX
Configure at least the following lies in your Samba.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = YOUR-NETBIOS-DOMAIN-NAME
# server string is the equivalent of the NT Description field
server string = Linux Proxy Server
# separate domain and username with '+', like DOMAIN+username
winbind separator = \\
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have
telnet/sshd/etc... access)
#template homedir = /home/winnt/%D/%U
template homedir = /home/winnt
template shell = /bin/bash
netbios name = PROXY
winbind use default domain = yes
security = domain
local master = no
os level = 20
domain master = no
preferred master = no
wins server = your.wins.ser.ver
Configure Squid with at least the following extras in Squid.conf. You
may need to slightly modif where required.
acl Authorized_Users external wb_group WebUsers
acl No_Auth_Required_IPs src 172.1.1.1-172.1.1.255/255.255.255.255
auth_param basic children 5
auth_param basic credentialsttl 2 hour
auth_param basic program /usr/lib/squid/wb_auth
auth_param basic realm Web Cache
auth_param ntlm children 5
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm max_challenge_reuses 0
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
external_acl_type wb_group %LOGIN /usr/lib/squid/wb_group
http_access allow Authorized_Users
http_access allow No_Auth_Required_IPs
STEP SEVEN
If using Windows 2000 AD in native mode only, else skip this step:
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
reboot
Windows 2003
(only if in Native mode, else skip)
1. Ensure the DC admin passwd has been changed at least once since
promo.
2. Ensure all forward and reverse DNS is funtioning correctly
3a. change domain controller sec pol:
Microsoft Network Server: Digitally Sign Communications (Always) Enabled
to DISABLED
3b. change default domain AND Default DOMAIN CONTROLLER sec pol:
Network Security: Lan Manager Authentication Level (not configured) to
Send LM & NTLM - User NTLMv2 If Negotiated
Reboot
STEP EIGHT
Join Samba to domain.
Smbpasswd -j [domainname] -r [PDC-EMULATOR-ROLE-DC] -U [useraccount]
STEP NINE
Reboot linux, or restart Xinetd - I like to make a clean start after a
domain join. Make sure that Samba, Squid and Winbind are set to start on
boot.
STEP TEN
TEST!!!
The Following commands from a linux shell should help you confirm that
all is working ok. The rest is up to you to debug any faults if any in
your config.
wbinfo -u (will return a list of all domain users if working correctly
Wbinfo -t (checks local trust relationship - should return "Secret Is
Good" when all working ok
wbinfo -a user%pass (will test plain text auth for Squid - should return
an OK if user is in "WebUsers" group configured in Squid.conf
Other useful test commands are:
getent group
getent passwd
Also, under /usr/lib/squid you can try testing manually the auth
executables from a shell prompt if you are having isses.
See tha FAQs for other diagnostic commands
If all is followed correctly you should now be able to add users to the
WebUsers global domain group and after a squid -k reload new users
should now be allowed to access the proxy. You must reload for squid to
see changes to this group! Logging will track access via domain username
too.
I really hope this helps many of you out there.
Regards,
Dave H
Received on Thu Sep 09 2004 - 00:15:24 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT