Различия

Здесь показаны различия между двумя версиями данной страницы.

Ссылка на это сравнение

squid_w2008_ad [2012/07/10 22:24]
pinkbyte создано
squid_w2008_ad [2014/12/04 10:30]
Строка 1: Строка 1:
-0. Valid package.use for this installation:​ 
  
-<code bash> 
-net-fs/​samba ​           ads winbind ldap syslog 
-net-proxy/​squid ​        ldap kerberos 
-net-nds/​openldap ​       sasl    ​ 
-dev-libs/​cyrus-sasl ​    ​kerberos 
-</​code>​ 
- 
-1. Change /​etc/​krb5.conf:​ 
- 
-<​code>​ 
-[libdefaults] 
-        default_realm = TEST.LOCAL 
-        ticket_lifetime = 24h 
-        default_keytab_name = /​etc/​squid/​krb.keytab 
- 
-# for Windows 2008 with AES 
-    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
-    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
-    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
- 
-[realms] 
-        TEST.LOCAL = { 
-#               ​admin_server = ad.test.local 
-                default_domain = test.local 
-#               kdc = ad.test.local 
-        } 
- 
-[domain_realm] 
-        .test.local = TEST.LOCAL 
-        test.local = TEST.LOCAL 
-</​code>​ 
- 
-here: TEST.LOCAL - realm(case sensitive). test.local - DNS name of domain, 
-ad.test.local - DNS name of Domain Controller 
- 
-2. <code bash>​kinit Администратор</​code>​ 
- 
-3. Check with klist for valid krb5 credentials cache 
- 
-4. On Windows-side:​ make sure that reverse PTR record is exist for Domain Controller!!!! 
- 
-5. Back on Linux-side :-). Install msktutil(TODO:​ made ebuild) 
- 
-6. Try: 
-<code bash>​msktutil -c -b "​CN=COMPUTERS"​ -s HTTP/​zfstest.test.local -k /​etc/​squid/​krb.keytab \ 
---computer-name ZFSTEST-K --upn HTTP/​zfstest.test.local --server ad.test.local --enctypes 28 \ 
---verbose --user-creds-only</​code>​ 
- 
-7. On Windows-side:​ reset computer account ZFSTEST-K 
- 
-8. On Linux-side: <code bash>​kdestroy</​code>​ 
- 
-9. Check for auto-update keytab works properly: 
-<code bash>​msktutil --auto-update --verbose --computer-name zfstest-k</​code>​ 
- 
-10. If all goes OK: write auto-updating keytab to crontab 
-<​code>​00 4  *   ​* ​  ​* ​    ​msktutil --auto-update --verbose --computer-name zfstest-k | logger -t msktutil</​code>​ 
- 
-11. <code bash>​kinit Администратор</​code>​ 
- 
-12. <​code>​net ads join -U Администратор</​code>​ 
-and WAIT!!!!! 
- 
-13. Edit daemon_list in /​etc/​conf.d/​samba:​ 
-<​code>​ 
-#add "​winbind"​ to the daemon_list if you also want winbind to start 
-daemon_list="​smbd nmbd winbind"​ 
-</​code>​ 
- 
-14. <code bash>/​etc/​init.d/​samba start</​code>​ 
- 
-15. Check Winbind 
-<code bash> 
-wbinfo -p 
-wbinfo -t 
-wbinfo -u 
-wbinfo -g 
-</​code>​ 
- 
-16. <code bash>​chgrp squid /​var/​cache/​samba/​winbindd_privileged</​code>​ 
- 
-17. Install negotiate wrapper(TODO:​ made ebuild) for squid 
- 
-18. On DC: create user Squid, assing him a password. 
-Write password for this user to /​etc/​squid/​ldappass.txt 
-Check permissions on this file!!!! 
- 
-19. Paste follow config for authorization:​ 
- 
-<​code>​ 
-### negotiate kerberos and ntlm authentication 
-auth_param negotiate program /​usr/​local/​bin/​negotiate_wrapper -d --ntlm /​usr/​bin/​ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST --kerberos /usr/$ 
-auth_param negotiate children 10 
-auth_param basic realm Negotiate Auth 
-auth_param negotiate keep_alive off 
- 
-### pure ntlm authentication 
-auth_param ntlm program /​usr/​bin/​ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST 
-auth_param ntlm children 10 
-auth_param basic realm NTLM Auth 
-auth_param ntlm keep_alive off 
- 
-### provide basic authentication via ldap for clients not authenticated via kerberos/​ntlm 
-auth_param basic program /​usr/​libexec/​squid/​squid_ldap_auth -R -b "​dc=test,​dc=local"​ -D squid@test.local -W /​etc/​squid/​ldappass.txt -f sAMAccountName=%s -h ad.test.local 
-auth_param basic children 10 
-auth_param basic realm Basic Auth 
-auth_param basic credentialsttl 1 minute 
-</​code>​ 
- 
-20. Configuration finished. Check results :-) 
 
squid_w2008_ad.txt · Последние изменения: 2014/12/04 10:30 (внешнее изменение)
 
За исключением случаев, когда указано иное, содержимое этой вики предоставляется на условиях следующей лицензии: Public Domain
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki