Windows 2k3 AD Samba +kerberos +squid

 

Configuring Kerberus

Edit the “/etc/krb5.conf” file:

[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.EXAMPLE
[realms]
DOMAIN.RU = {
kdc = Server.DOMAIN.EXAMPLE
admin_server = Server.DOMAIN.EXAMPLE
default_domain = DOMAIN.EXAMPLE
}
[domain_realm]
.domain =DOMAIN.EXAMPLE
domain = DOMAIN.EXAMPLE


[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Edit or if not to create /etc/krb.realms:

.domain.example domain.example

Configure Samba

Edit the “/etc/samba/smb.conf” file.  Below is an example of the configuration required:
[global]
workgroup = SHORT_NAME_DOMAIN.EXAMPLE
netbios name = Proxy
realm = DOMAIN.EXAMPLE 
server string = Linux Samba Server
security = ads
encrypt passwords = Yes
# password server = Server.DOMAIN.EXAMPLE
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
os level = 1
use kerberos keytab = yes

Configuring Squid

Edit the “/etc/squid/squid.conf” file. If you are using for access to internet authorization based on groups,Below is an example of the configuration required:


#
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param ntlm children 25
auth_param ntlm keep_alive off
#
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
#
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1 hours
# use -d parameter after wbinfo_group.pl for debugging. I am using the patched #wbinfo_group.pl
external_acl_type nt_group ttl=10 %LOGIN /usr/lib/squid/wbinfo_group.pl -d
#
acl snmppublic snmp_community SuperSecretKey
acl all src all
acl local_intranet dst 10.0.0.0/8 192.168.0.0/16 172.16.0.0/16
# My nets
acl servers_dc src 10.10.10.1 10.10.11.1
# In file "/etc/squid/acl/block.acl" We have placed blocking URL pattern
# New pattern on each new string
acl bad_url url_regex -i "/etc/squid/acl/block.acl"
acl domain_users proxy_auth REQUIRED
acl inet_users external nt_group "/etc/squid/allowed-groups"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8443 1494 7443               # https
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 777         # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
#
#http_access allow all
http_access deny bad_url
http_access allow manager stat
http_access allow servers_dc
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow domain_users inet_users
http_access deny all
icp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 12000 16 256
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
refresh_pattern .               0       20%     4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#icon_directory /etc/squid/icons
#error_directory /etc/squid/errors/Russian-1251
hosts_file /etc/hosts
#coredump_dir /var/squid
 

Create and edit restricted access group file "/etc/squid/acl/block.acl"  for example:
xxx
porno
facebook.com
 vk.com
gmail.com
mail .ru

youtube.com


Create and edit restricted access group file "/etc/squid/allowed-groups" :
SHORT_NAME_DOMAIN.EXAMPLE\inet%20access%20group
SHORT_NAME_DOMAIN.EXAMPLE\inet_boss_group
SHORT_NAME_DOMAIN.EXAMPLE\sales%20unit 



The backslashes before the spaces in “inet\ access\ group” are required to allow the entry to be passed to the authentication script. The built in Perl script to provision group access is not very sophisticated but does the job.  The only issue is if, as is likely, your AD group names contain spaces.  In this case it needs to be finessed slightly.

# cp /usr/lib/squid/wbinfo_group.pl /usr/lib/squid/wbinfo_group.pl.orig

Edit file.  The example below will allow groups with spaces:

#!/usr/bin/perl –w
#
#CUTTING COMMENTS

 #
# Globals
#
use vars qw/ %opt /;

# Disable output buffering
$|=1;

sub debug {
        print STDERR "@_\n" if $opt{d};
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
        chop  $groupSID;
        $groupGID = `wbinfo -Y "$groupSID"`;
        chop $groupGID;
        &debug( "User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   -$groupGID-");
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

#
# Command line options processing
#
sub init()
{
    use Getopt::Std;
    my $opt_string = 'hd';
    getopts( "$opt_string", \%opt ) or usage();
    usage() if $opt{h};
}

#
# Message about this program and how to use it
#
sub usage()
{
        print "Usage: wbinfo_group.pl -dh\n";
        print "\t-d enable debugging\n";
        print "\t-h print the help\n";
        exit;
}
init();
print STDERR "Debugging mode ON.\n" if $opt{d};
#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug ("Got $_ from squid");
        ($user, @groups) = split(/\s+/);
        $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
        # test for each group squid send in it's request
        foreach $group (@groups) {
                $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
                # Next string added for replace white_spaces to space
                $group=~ s/%20/ /g;
                $ans = &check($user, $group);
                last if $ans eq "OK";
        }
        &debug ("Sending $ans to squid");
        print "$ans\n";
}

Join the Domain

Now join server in domain. You will be prompted for the Administrator password from time to time.
# kinit Administrator@DOMAIN.EXAMPLE
# net ads join -U Administrator
# net ads keytab create -U Administrator
# net ads keytab add HTTP -U Administrator

Start the Services

You need to start Samba, WinbindD and Squid to use the authentication mechanism.

Testing

The following command would test the raw AD authentication via Kerberus:
#/usr/bin/ntlm_auth –domain=DOMAIN.EXAMPLE  –username=AnyUser
The following tests whether WinbindD is available:
# wbinfo –p
The following will return a complete list of users visible on the AD:
# wbinfo –u
The following will return a complete list of groupsvisible on the AD:
# wbinfo –g
The following will test the group auth script.  It is interactive and you must use [CTRL]+C to exit.
# /usr/lib/squid/wbinfo_group.pl
At the prompt enter:
DOMAIN.EXAMPLE\AnyUsername inet%20access%20group

Комментариев нет:

Отправить комментарий

Подписаться на: Сообщения (Atom)