Detailed HOWTO on Squid with authentication in Windows 2008 Active Directory

0. Valid package.use for this installation:

net-fs/samba            ads winbind ldap syslog
net-proxy/squid         ldap kerberos
net-nds/openldap        sasl    
dev-libs/cyrus-sasl     kerberos

1. Change /etc/krb5.conf:

[libdefaults]
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid/krb.keytab

# for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
        TEST.LOCAL = {
#               admin_server = ad.test.local
                default_domain = test.local
#               kdc = ad.test.local
        }

[domain_realm]
        .test.local = TEST.LOCAL
        test.local = TEST.LOCAL

here: TEST.LOCAL - realm(case sensitive). test.local - DNS name of domain, ad.test.local - DNS name of Domain Controller

2.

kinit Администратор

3. Check with klist for valid krb5 credentials cache

4. On Windows-side: make sure that reverse PTR record is exist for Domain Controller!!!!

5. Back on Linux-side :-). Install msktutil(TODO: made ebuild)

6. Try:

msktutil -c -b "CN=COMPUTERS" -s HTTP/zfstest.test.local -k /etc/squid/krb.keytab \
--computer-name ZFSTEST-K --upn HTTP/zfstest.test.local --server ad.test.local --enctypes 28 \
--verbose --user-creds-only

7. On Windows-side: reset computer account ZFSTEST-K

8. On Linux-side:

kdestroy

9. Check for auto-update keytab works properly:

msktutil --auto-update --verbose --computer-name zfstest-k

10. If all goes OK: write auto-updating keytab to crontab

00 4  *   *   *     msktutil --auto-update --verbose --computer-name zfstest-k | logger -t msktutil

11.

kinit Администратор

12.

net ads join -U Администратор

and WAIT!!!!!

13. Edit daemon_list in /etc/conf.d/samba:

#add "winbind" to the daemon_list if you also want winbind to start
daemon_list="smbd nmbd winbind"

14.

/etc/init.d/samba start

15. Check Winbind

wbinfo -p
wbinfo -t
wbinfo -u
wbinfo -g

16.

chgrp squid /var/cache/samba/winbindd_privileged

17. Install negotiate wrapper(TODO: made ebuild) for squid

18. On DC: create user Squid, assing him a password. Write password for this user to /etc/squid/ldappass.txt Check permissions on this file!!!!

19. Paste follow config for authorization:

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST --kerberos /usr/$
auth_param negotiate children 10
auth_param basic realm Negotiate Auth
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST
auth_param ntlm children 10
auth_param basic realm NTLM Auth
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/libexec/squid/squid_ldap_auth -R -b "dc=test,dc=local" -D squid@test.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h ad.test.local
auth_param basic children 10
auth_param basic realm Basic Auth
auth_param basic credentialsttl 1 minute

20. Configuration finished. Check results :-)

squid_w2008_ad.txt · Последние изменения: 2014/12/04 13:30 (внешнее изменение)
 
За исключением случаев, когда указано иное, содержимое этой вики предоставляется на условиях следующей лицензии: Public Domain
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki