Инструменты пользователя
Это старая версия документа!
Detailed HOWTO on Squid with authentication in Windows 2008 Active Directory
0. Valid package.use for this installation:
net-fs/samba ads winbind ldap syslog net-proxy/squid ldap kerberos net-nds/openldap sasl dev-libs/cyrus-sasl kerberos
1. Change /etc/krb5.conf:
[libdefaults]
default_realm = TEST.LOCAL
ticket_lifetime = 24h
default_keytab_name = /etc/squid/krb.keytab
# for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
TEST.LOCAL = {
# admin_server = ad.test.local
default_domain = test.local
# kdc = ad.test.local
}
[domain_realm]
.test.local = TEST.LOCAL
test.local = TEST.LOCAL
here: TEST.LOCAL - realm(case sensitive). test.local - DNS name of domain, ad.test.local - DNS name of Domain Controller
2.
kinit Администратор
3. Check with klist for valid krb5 credentials cache
4. On Windows-side: make sure that reverse PTR record is exist for Domain Controller!!!!
5. Back on Linux-side 
. Install msktutil(TODO: made ebuild)
6. Try:
msktutil -c -b "CN=COMPUTERS" -s HTTP/zfstest.test.local -k /etc/squid/krb.keytab \ --computer-name ZFSTEST-K --upn HTTP/zfstest.test.local --server ad.test.local --enctypes 28 \ --verbose --user-creds-only
7. On Windows-side: reset computer account ZFSTEST-K
8. On Linux-side:
kdestroy
9. Check for auto-update keytab works properly:
msktutil --auto-update --verbose --computer-name zfstest-k
10. If all goes OK: write auto-updating keytab to crontab
00 4 * * * msktutil --auto-update --verbose --computer-name zfstest-k | logger -t msktutil
11.
kinit Администратор
12.
net ads join -U Администратор
and WAIT!!!!!
13. Edit daemon_list in /etc/conf.d/samba:
#add "winbind" to the daemon_list if you also want winbind to start daemon_list="smbd nmbd winbind"
14.
/etc/init.d/samba start
15. Check Winbind
wbinfo -p wbinfo -t wbinfo -u wbinfo -g
16.
chgrp squid /var/cache/samba/winbindd_privileged
17. Install negotiate wrapper(TODO: made ebuild) for squid
18. On DC: create user Squid, assing him a password. Write password for this user to /etc/squid/ldappass.txt Check permissions on this file!!!!
19. Paste follow config for authorization:
### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST --kerberos /usr/$ auth_param negotiate children 10 auth_param basic realm Negotiate Auth auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST auth_param ntlm children 10 auth_param basic realm NTLM Auth auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/libexec/squid/squid_ldap_auth -R -b "dc=test,dc=local" -D squid@test.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h ad.test.local auth_param basic children 10 auth_param basic realm Basic Auth auth_param basic credentialsttl 1 minute
20. Configuration finished. Check results
Инструменты страницы
