Squid with AD authentication

火星人 @ 2014-03-04 , reply:0
←手機掃碼閱讀

Squid with AD authentication

LINUX 世界資料很少,基於AD中組的認證都在INTERNET網找不到一點資料。只有自已參考自帶的說明一項項來試了。

基本實現功能:
1:2003 AD 基於組做認證;
2:兩台台式機即可做HA;

Proxy Service can involve the following Steps:

Section 1:CentOS 4.3 Installation;
Section 2:        CentOS 4.3 router and basic setting;
Section 3:        Add Machine to AD;
Section 4:        Squid2.6 Stable3 Installation and Configuration;
Section 5:        Linux High-Available Installation and Configuration;
Section 6:Other Service based on Linux installation Procedure;


Section 1:CentOS 4.3 Installation
1.             Prepare and relative hardware information:
Hardware Information:
GX280: PVI 2.6GHz; 2048MB 400DDR; 160 Gig hard drives; 2 network card.
CentOS 4.3 4CD;
2.        Insert the boot diskette into CD drive and reboot, Your BIOS settings may need to be changed to allow you to boot from the diskette or CD-ROM. After a short delay, a screen containing the boot: prompt should appear. Press ENTER continuous, Click Skip when prompt you to test the CD media.
3.        Using your mouse select the relative option refer to the following for the installation:
Language Selection: English (English)
Keyboard Configuration: U.S. English
Mouse Configuration: PS/2
Installation Type: Customer
Disk Partitioning Setup: Manually Partition with Disk Druid.
File System (ext3)                  Size                         Description
/boot                                  100MB       
<swap>                                  2048MB       
/                                  10000MB       
/var                                  40000MB (LVM)         For proxy log
/cache                                  80000MB                        For proxy cache

Boot Loader Configuration:
Network Configuration:
                                  Eth0                        Eth1
IP address                  8.8.8.1                        10.1.1.10
submask                                  255.255.255.0        255.255.255.0
Gateway                                                                10.1.1.5(firewall)
Primary DNS                                                 10.1.1.33
Firewall Configuration: No Firewall/Disable Sulinux
Additional language support: English (USA)
Time Zone Selection: Asia/ShangHai
Set Root Password: xxxxxxxx
Package Group Selection (included the following only):
        Applications:         Editors
                        text-Base Internet: Add Lynx
        Servers:        Server configuration tools: Default
                        Web Server: move squid only
Development tools: Default
Proceed with Install
Do not create boot disk
Install will complete and system will reboot.

[ 本帖最後由 seewo 於 2006-8-23 14:37 編輯 ]
《解決方案》

Section 2: CentOS 4.3 router and basic setting
Logon as root (You can access remotely using Putty.exe in Windows OS, SSH enabled default).
Modify /etc/resolv.conf as below:
domain test.com
search test.com
nameserver 10.1.1.33
Modify /etc/hosts as below:
127.0.0.1               uxpxchn localhost.localdomain localhost
10.1.1.10            uxpxchn uxpxchn.test.com uxpxchn
10.1.1.33           dc01    dc01.test.com
Modify /etc/rc.d/rc.local as below:
echo "" >/etc/issue
echo "" >/etc/issue.net
touch /var/lock/subsys/local
/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.1.1.1
加入你內部網的路由,Default gw是防火牆

[ 本帖最後由 seewo 於 2006-8-22 19:50 編輯 ]
《解決方案》

Section 3:  Add uxpxchn to AD
1.        Confirm the following packages should be available on CentOS4.3 system using by this command:
root# rpm –qa|grep krb5:
krb5-auth-dialog-0.2-1
krb5-devel-1.3.4-27
krb5-libs-1.3.4-27
pam_krb5-2.1.8-1
krb5-workstation-1.3.4-27
Kerberos Configuration: The systems Kerberos installation must be configured to communicate with your primary Active Directory Server (ADS KDC).
Kerberos Configuration Steps:
modify /etc/krb5.conf file as below:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false

  TEST.COM = {
  kdc = DC01.TEST.COM:88
  admin_server = DC01.TEST.COM:749
}

.test.com = TEST.COM
test.com = TEST.COM

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
2.        Now you are ready to test your installation by issuing the command:
Root# kinit administrator@TEST.COM
Make sure that your password is accepted bye the Active Directory KDC.
Kerberos is case sensitive. Your realm must be in UPPERCASE.
Securing Samba-3 with ADS Support Steps:
Install samba-client-3.0.10-1.4E.6 / samba-common-3.0.10-1.4E.6/ samba-3.0.10-1.4E.6 using RPM Command. Change the /etc/samba/smb.conf file so it has contents similar to the list shown as below:
workgroup = TEST
realm = TEST.COM
security = ADS
password server = DC01.TEST.COM
encrypt passwords = yes
wins server = DC01.TEST.COM
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind use default domain = yes
winbind separator = \
winbind enum users = yes
winbind enum groups = yes
3.        For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. modify /etc/nsswitch.conf file as below:
passwd: files winbind
shadow: files
group: files winbind
4.        Next You need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the samba server with an Aictive Directory Kerberos ticket. This is done with the 「net ads join –U administrator%Password」 Command. Then start your Active Directory-enabled samba with the following commands:
root# chkconfig samba on
root# chkconfig winbind on
root# service samba start
root# service winbind start
5.        We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands:
root# wbinfo –t
This tests whether we are authenticating against Active Directory tree; Using 「wbinfo -u」enumerates all the users in your Active Directory tree; Using 「wbinfo –g」 enumerates all the groups in your Active Directory tree.
6.        Now we can create a computer account in the Active Directory. This sets up the trust relationship needed for other client to authenticate to the Samba Server with an Active Directory Kerberos ticket. This is Done with the 「net ads join –U command.
7.        Squid users the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command:
root# /usr/bin/ntlm_auth --username=administrator
password:
NT_STATUS_OK: Success (0x0)
8.        Squid need read from the winbind privilege pipe. Remember to issue the following command:
root# chgrp squid /var/cache/samba/winbindd_privileded
root# chmod –R 750 /var/cache/samba/winbindd_privileded
Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already.
到此已完成加入AD 及用到Samba 自帶的Helper for Squid. (squid 自帶的在Samba 3 上不能用),餘下部分下次再發。

[ 本帖最後由 seewo 於 2006-8-22 19:51 編輯 ]
《解決方案》

回復 1樓 seewo 的帖子

請問樓主
1、要在SQUID中控制WINDOWS中不同群組可上不同網站有辦法么
2、我通過 外部acl+wb_group,沒能成功。編譯時加入winbind
external_acl_type wb_group concurrency=5 ttl=900 %LOGIN /usr/local/squid/libexec/wb_group
#http_access allow all AclName
acl password proxy_auth REQUIRED
acl internetfull external wb_group -i IPVLINK+wt IPVLINK+hhhh

不知道要怎麼做了
謝謝
《解決方案》

看完就知道怎麼做了. 接下寫:

Section 4: Squid2.5 Stable14 Installation and Configuration;
1.        Add a system user squid and a system group squid:
root# useradd –s /bin/false –c 「for Squid Only」 squid
2.        Squid must also have control over its logging.
root# mkdir /var/log/squid
root# chown squid:squid /var/log/squid
root# chmod 770 /var/log/squid
Finally, Squid must be able to write to its disk cache. Enter the following commands:
root# chown –R squid:squid /cache
root# chmod 770 /cache
3.        Download squid 2.5Stable14 and save it to /usr/local/src:
root# wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE3.tar.gz
Compile and install Squid-2.6 Stable3
root# tar zxvf squid-2.6.STABLE3.tar.gz
root# cd squid-2.6.STABLE3
root# ./configure --prefix=/usr/local/squid --sysconfdir=/etc/squid --enable-async-io=32 --enable-auth="basic,ntlm" --enable-external-acl-helpers="wbinfo_group " --enable-kill-parent-hack --enable-poll --enable-removal-policies="heap" --disable-icmp --disable-delay-pools --disable-useragent-log -disable-arp-acl --disable-ident-lookups --disable-internal-dns
root# make
root# make install
root# make clean
root# strip /usr/local/squid/sbin/squid
root# strip /usr/local/squid/libexec/dnsserver
root# strip /usr/local/squid/libexec/cachemgr.cgi
4.        Move the cache manager program to /var/www/cgi-bin/
root#mv /usr/local/squid/libexec/cachemgr.cgi /var/www/cgi-bin/cachemgr.cgi
Start the http and squid automatically during boot:
root# chkconfig httpd on
root# ln –s /etc/rc.d/init.d/squid /etc/rc3.d/S96squid
Squid.conf 請看下一貼

[ 本帖最後由 seewo 於 2006-8-22 22:06 編輯 ]
《解決方案》

Squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group Domain_Internet_Users
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers ProxyUsers
說明: Domain_Internet_Users 為 AD 中全局組,只要是此組成員即可上網。
《解決方案》

上面TX 提到怎樣控制不同組上不同網站,以下方法我已測試過,沒問題!
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group Domain_Internet_Users
acl Google_site dstdomain .google.com
acl GoogleUsers external NT_global_group Google_Groups
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers GoogleUsers Google_site
http_access allow AuthenticatedUsers ProxyUsers

註: Google_Groups同 Domain_Internet_Users 一樣為 AD 中全局組.

[ 本帖最後由 seewo 於 2006-8-23 14:41 編輯 ]
《解決方案》

回復 7樓 seewo 的帖子

感謝樓主,不過我的暫時沒有成功
# wbinfo -g
BUILTINwinbind enum users = yesSystem Operators
BUILTINwinbind enum users = yesReplicators
BUILTINwinbind enum users = yesGuests
BUILTINwinbind enum users = yesPower Users
BUILTINwinbind enum users = yesPrint Operators
BUILTINwinbind enum users = yesAdministrators
BUILTINwinbind enum users = yesAccount Operators
BUILTINwinbind enum users = yesBackup Operators
BUILTINwinbind enum users = yesUsers
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
wt
hhhh

# vi /usr/local/squid/etc/squid.conf
這裡參照樓主的(而且是加參數重新編譯)如下:
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group wt
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers ProxyUsers
cache_effective_user test
cache_effective_group test

結果:域里的用戶不能上網,如果註釋external_acl_type 這幾行就沒有問題

找不出原因在哪,我的SAMBA加入域是用的test加入的
謝謝
《解決方案》

樓上兄弟說清楚點:是用哪個Linux 版本呀,SQUID 用的又是哪個版本,編譯選項又是哪些?是跟AD在認證還是跟NT Domain做認證?
《解決方案》

回復 9樓 seewo 的帖子

RedHat9  2.4.20-8
samba-3.0.5-0.5.    krb5-devel-1.2.7   squid-2.5.STABLE2.tar.gz
我的伺服器是2003   
想用ntlm做AD認證
伺服器里有個   帳戶為  xh        群組為  wt
                       
目前用LINUX 做代理伺服器(以test用戶運行squid) 現已做好認證  也加入了域

客戶端(WIN系統IE設置區域網代理,並且也是域中的計算機)目前訪問網站不用輸入密碼

就是在做群組訪問控制時(如想控制wt群組可上網),紿終不能實現現在一直在找原因

我把部分狀況列出來,幫我看看
samba-3.0.5-0.5.1.i386.rpm
samba-client-3.0.5-0.5.1.i386.rpm
samba-common-3.0.5-0.5.1.i386.rpm
#rpm  -Uvh samb*
下面是samba相關文件

workgroup = IPVLINK.COM.CN
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 50
security = ads
realm = IPVLINK.COM.CN
password server = win2k3.IPVLINK.COM.CN
encrypt passwords = yes
wins server = win2k3.IPVLINK.COM.CN
dns proxy = no
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/false
winbind use default domain=yes
winbind separator=\
winbind enum users = yes
winbind enum groups = yes
然後重啟服務並加入域
net ads join  -U  administrator
# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
WIN2K3$
krbtgt
IUSR_WIN2K3
IWAM_WIN2K3
evan
gavin
josie
__vmware_user__
WIN2003$
jay
jerry
xh
cdma
HOST/squidlinux
# wbinfo -g
BUILTINwinbind enum users = yesSystem Operators
BUILTINwinbind enum users = yesReplicators
BUILTINwinbind enum users = yesGuests
BUILTINwinbind enum users = yesPower Users
BUILTINwinbind enum users = yesPrint Operators
BUILTINwinbind enum users = yesAdministrators
BUILTINwinbind enum users = yesAccount Operators
BUILTINwinbind enum users = yesBackup Operators
BUILTINwinbind enum users = yesUsers
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
wt
hhhh
# wbinfo -r xh
Could not get groups for user xh
不能找到用戶所屬的組,不確定問題是不是在SAMBA呢?????

編譯時用的參數:
./configure --prefix=/usr/local/squid --enable-gnuregex --enable-async-io=80 --enable-icmp --enable-kill-parent-hack --enable-snmp  --disable-ident-lookups  --enable-err-language="Traditional_Chinese"  --enable-poll --enable-linux-netfilter --enable-delay-pools --enable-snmp --enable-cache-digest --enable-auth="basic,ntlm" --enable-baisc-auth-helpers="NCSA" --enable-ntlm-auth-helpers="fakeauth" --enable-underscores --enable-arp-acl --enable-linux-netfilter --enable-external-acl-helpers="wbinfo_group"

配置文件內容:
visible_hostname squidlinux
http_port 3128
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /usr/local/squid/var/cache 1200 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours

external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group wt
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers ProxyUsers

cache_effective_user test
cache_effective_group test
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
reply_body_max_size 1048576 allow all
目前
squid以test用戶運行
如果註釋有顏色Blue的幾行
客戶機(用xh登錄)能上網,
否則就不能上網了


這是目前情況


請樓主(可否留個聯繫方式)幫我看看
謝謝

[ 本帖最後由 xh0871 於 2006-8-23 18:24 編輯 ]




[火星人 via ] Squid with AD authentication已經有381次圍觀

http://www.coctec.com/docs/service/show-post-19416.html