Различия

Показаны различия между двумя версиями страницы.

--- squid_w2008_ad [2012/07/11 02:24] – создано pinkbyte
+++ squid_w2008_ad [2021/08/04 17:06] (текущий) – удалено pinkbyte
@@ Строка 1: / Строка 1: @@
-. Valid package.use for this installation:
-<code bash>
-net-fs/samba            ads winbind ldap syslog
-net-proxy/squid         ldap kerberos
-net-nds/openldap        sasl
-dev-libs/cyrus-sasl     kerberos
-</code>
-. Change /etc/krb5.conf:
-<code>
-[libdefaults]
-        default_realm = TEST.LOCAL
-        ticket_lifetime = 24h
-        default_keytab_name = /etc/squid/krb.keytab
-# for Windows 2008 with AES
-    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-[realms]
-        TEST.LOCAL = {
-#               admin_server = ad.test.local
-                default_domain = test.local
-#               kdc = ad.test.local
-        }
-[domain_realm]
-        .test.local = TEST.LOCAL
-        test.local = TEST.LOCAL
-</code>
-here: TEST.LOCAL - realm(case sensitive). test.local - DNS name of domain,
-ad.test.local - DNS name of Domain Controller
-. <code bash>kinit Администратор</code>
-. Check with klist for valid krb5 credentials cache
-. On Windows-side: make sure that reverse PTR record is exist for Domain Controller!!!!
-. Back on Linux-side :-). Install msktutil(TODO: made ebuild)
-. Try:
-<code bash>msktutil -c -b "CN=COMPUTERS" -s HTTP/zfstest.test.local -k /etc/squid/krb.keytab \
---computer-name ZFSTEST-K --upn HTTP/zfstest.test.local --server ad.test.local --enctypes 28 \
---verbose --user-creds-only</code>
-. On Windows-side: reset computer account ZFSTEST-K
-. On Linux-side: <code bash>kdestroy</code>
-. Check for auto-update keytab works properly:
-<code bash>msktutil --auto-update --verbose --computer-name zfstest-k</code>
-. If all goes OK: write auto-updating keytab to crontab
-<code>00 4  *   *   *     msktutil --auto-update --verbose --computer-name zfstest-k | logger -t msktutil</code>
-. <code bash>kinit Администратор</code>
-. <code>net ads join -U Администратор</code>
-and WAIT!!!!!
-. Edit daemon_list in /etc/conf.d/samba:
-<code>
-#add "winbind" to the daemon_list if you also want winbind to start
-daemon_list="smbd nmbd winbind"
-</code>
-. <code bash>/etc/init.d/samba start</code>
-. Check Winbind
-<code bash>
-wbinfo -p
-wbinfo -t
-wbinfo -u
-wbinfo -g
-</code>
-. <code bash>chgrp squid /var/cache/samba/winbindd_privileged</code>
-. Install negotiate wrapper(TODO: made ebuild) for squid
-. On DC: create user Squid, assing him a password.
-Write password for this user to /etc/squid/ldappass.txt
-Check permissions on this file!!!!
-. Paste follow config for authorization:
-<code>
-### negotiate kerberos and ntlm authentication
-auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST --kerberos /usr/$
-auth_param negotiate children 10
-auth_param basic realm Negotiate Auth
-auth_param negotiate keep_alive off
-### pure ntlm authentication
-auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST
-auth_param ntlm children 10
-auth_param basic realm NTLM Auth
-auth_param ntlm keep_alive off
-### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
-auth_param basic program /usr/libexec/squid/squid_ldap_auth -R -b "dc=test,dc=local" -D squid@test.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h ad.test.local
-auth_param basic children 10
-auth_param basic realm Basic Auth
-auth_param basic credentialsttl 1 minute
-</code>
-. Configuration finished. Check results :-)

Pinkbyte's wiki

Инструменты пользователя

Инструменты сайта

Различия

Инструменты страницы