- upgrade samba to 3.5 (for win2008)
- edit /etc/samba/smb.conf
- edit /etc/krb5.conf
- edit /etc/pam.d/system-auth
- add winbind option in /etc/nsswitch.conf
- config iptables to allow 139,445,389 port, or allow all for testing
- change selinux to permissive or disable just for testing
- setup time, ensure no more than 5 min different with your DC
- startup smb, winbind, oddjobd
- join domain
- test with wbinfo, kinit, ntlm_auth, check if your linux host appear in AD\computer ou
- edit /etc/squid/squid.conf
- make sure squid group have permission to access /var/lib/samba/winbindd_privilege folder
- Startup squid
- client pc proxy config
- client pc edit group policy, change Network security: LAN Manager authentication level:Send LM & NTLM - use NTLMv2
- client pc test to access internet with user authentication
In other to make squid authentication work with win2008, we need to upgrade samba to 3.5 version.
You have to download the repo file manually if using centos 5 which is samba3.0.X
[root@centosvm ~]#vi /etc/yum.repo.d/sernet-samba.repo
[sernet-samba]
name=SerNet Samba Team packages (CentOS 5)
type=rpm-md
baseurl=http://ftp.sernet.de/pub/samba/3.5/centos/5
enabled=1
gpgcheck=0
or wget repo file and save in /etc/yum.repo.d/
[root@centosvm]# wget http://ftp.sernet.de/pub/samba/3.5/centos/5/sernet-samba.repo
[root@centosvm ~]#yum update
[root@centosvm ~]#yum update samba samba-client
[root@centosvm ~]#yum install samba3-winbind samba3-utils
==========================================
[root@centosvm ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = 192.168.1.10
default_domain = MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
==========================================
add following statement to /etc/pam.d/system-auth
session required pam_mkhomedir.so skel=/etc/skel umask=0022
==========================================
[root@centosvm ~]#cat /etc/samba/smb.conf
workgroup = MYDOMAIN
password server = 192.168.1.10
realm = MYDOMAIN.COM
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
server string = Samba Server Version %v
interfaces = lo eth0 192.168.1.0/24
hosts allow = 127. 192.168.1.
bind interfaces only = true
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 500
os level = 20
preferred master = no
dns proxy = no
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[root@centosvm ~]#service smb start
[root@centosvm ~]#service winbind start
[root@centosvm ~]#service oddjobd start
[root@centosvm ~]#service ntp start <----ensure time is same with DC
==========================================
NOTE: Ensure setting in /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
==========================================
[root@centosvm ~]#net ads join -U administrator
[root@centosvm ~]#kinit administrator
[root@centosvm ~]#ntlm_auth --username=ray
[root@centosvm ~]#wbinfo -t
[root@centosvm ~]#wbinfo -u
==========================================
[root@centosvm ~]# vi /etc/squid/squid.conf
http_port 3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/spool/squid
visible_hostname centosvm
access_log /var/log/squid/access.log squid
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
acl NTLMUsers proxy_auth REQUIRED
http_access allow all NTLMUsers
http_access allow manager localhost
http_access deny !localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
icp_access allow all
http_access deny all
==========================================
[root@centosvm ~]# service squid start
NOTE: Ensure squid have permission to access /var/lib/samba/winbindd_privileged
eg: chown .squid /var/lib/samba/winbindd_privileged
Config client PC group policy, run "gpedit.msc" Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Change Network security: LAN Manager authentication level:Send LM & NTLM - use NTLMv2 session security if negotiated
發表文章
沒有留言:
張貼留言