Squid with AD authentication

seewo

LINUX 世界资料很少，基于AD中组的认证都在INTERNET网找不到一点资料。只有自已参考自带的说明一项项来试了。

基本实现功能：
1：2003 AD 基于组做认证；
2：两台台式机即可做HA；

Proxy Service can involve the following Steps:

Section 1:CentOS 4.3 Installation;
Section 2:        CentOS 4.3 router and basic setting;
Section 3:        Add Machine to AD;
Section 4:        Squid2.6 Stable3 Installation and Configuration;
Section 5:        Linux High-Available Installation and Configuration;
Section 6:Other Service based on Linux installation Procedure;


Section 1:CentOS 4.3 Installation
1.             Prepare and relative hardware information:
Hardware Information:
GX280: PVI 2.6GHz; 2048MB 400DDR; 160 Gig hard drives; 2 network card.
CentOS 4.3 4CD;
2.        Insert the boot diskette into CD drive and reboot, Your BIOS settings may need to be changed to allow you to boot from the diskette or CD-ROM. After a short delay, a screen containing the boot: prompt should appear. Press ENTER continuous, Click Skip when prompt you to test the CD media.
3.        Using your mouse select the relative option refer to the following for the installation:
Language Selection: English (English)
Keyboard Configuration: U.S. English
Mouse Configuration: PS/2
Installation Type: Customer
Disk Partitioning Setup: Manually Partition with Disk Druid.
File System (ext3)                  Size                         Description
/boot                                  100MB       
<swap>                                  2048MB       
/                                  10000MB       
/var                                  40000MB (LVM)         For proxy log
/cache                                  80000MB                        For proxy cache

Boot Loader Configuration:
Network Configuration:
                                  Eth0                        Eth1
IP address                  8.8.8.1                        10.1.1.10
submask                                  255.255.255.0        255.255.255.0
Gateway                                                                10.1.1.5（firewall)
Primary DNS                                                 10.1.1.33
Firewall Configuration: No Firewall/Disable Sulinux
Additional language support: English (USA)
Time Zone Selection: Asia/ShangHai
Set Root Password: xxxxxxxx
Package Group Selection (included the following only):
        Applications:         Editors
                        text-Base Internet: Add Lynx
        Servers:        Server configuration tools: Default
                        Web Server: move squid only
Development tools: Default
Proceed with Install
Do not create boot disk
Install will complete and system will reboot.

[ 本帖最后由 seewo 于 2006-8-23 14:37 编辑 ]

seewo

Section 2: CentOS 4.3 router and basic setting
Logon as root (You can access remotely using Putty.exe in Windows OS, SSH enabled default).
Modify /etc/resolv.conf as below:
domain test.com
search test.com
nameserver 10.1.1.33
Modify /etc/hosts as below:
127.0.0.1               uxpxchn localhost.localdomain localhost
10.1.1.10            uxpxchn uxpxchn.test.com uxpxchn
10.1.1.33           dc01    dc01.test.com
Modify /etc/rc.d/rc.local as below:
echo "" >/etc/issue
echo "" >/etc/issue.net
touch /var/lock/subsys/local
/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.1.1.1
加入你内部网的路由，Default gw是防火墙

[ 本帖最后由 seewo 于 2006-8-22 19:50 编辑 ]

seewo

Section 3:  Add uxpxchn to AD
1.        Confirm the following packages should be available on CentOS4.3 system using by this command:
root# rpm –qa|grep krb5:
krb5-auth-dialog-0.2-1
krb5-devel-1.3.4-27
krb5-libs-1.3.4-27
pam_krb5-2.1.8-1
krb5-workstation-1.3.4-27
Kerberos Configuration: The systems Kerberos installation must be configured to communicate with your primary Active Directory Server (ADS KDC).
Kerberos Configuration Steps:
modify /etc/krb5.conf file as below:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
  TEST.COM = {
  kdc = DC01.TEST.COM:88
  admin_server = DC01.TEST.COM:749
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
2.        Now you are ready to test your installation by issuing the command:
Root# kinit administrator@TEST.COM
Make sure that your password is accepted bye the Active Directory KDC.
Kerberos is case sensitive. Your realm must be in UPPERCASE.
Securing Samba-3 with ADS Support Steps:
Install samba-client-3.0.10-1.4E.6 / samba-common-3.0.10-1.4E.6/ samba-3.0.10-1.4E.6 using RPM Command. Change the /etc/samba/smb.conf file so it has contents similar to the list shown as below:
workgroup = TEST
realm = TEST.COM
security = ADS
password server = DC01.TEST.COM
encrypt passwords = yes
wins server = DC01.TEST.COM
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind use default domain = yes
winbind separator = \
winbind enum users = yes
winbind enum groups = yes
3.        For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. modify /etc/nsswitch.conf file as below:
passwd: files winbind
shadow: files
group: files winbind
4.        Next You need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the samba server with an Aictive Directory Kerberos ticket. This is done with the “net ads join –U administrator%Password” Command. Then start your Active Directory-enabled samba with the following commands:
root# chkconfig samba on
root# chkconfig winbind on
root# service samba start
root# service winbind start
5.        We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands:
root# wbinfo –t
This tests whether we are authenticating against Active Directory tree; Using “wbinfo -u”enumerates all the users in your Active Directory tree; Using “wbinfo –g” enumerates all the groups in your Active Directory tree.
6.        Now we can create a computer account in the Active Directory. This sets up the trust relationship needed for other client to authenticate to the Samba Server with an Active Directory Kerberos ticket. This is Done with the “net ads join –U [administrator%password] command.
7.        Squid users the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command:
root# /usr/bin/ntlm_auth --username=administrator
password:
NT_STATUS_OK: Success (0x0)
8.        Squid need read from the winbind privilege pipe. Remember to issue the following command:
root# chgrp squid /var/cache/samba/winbindd_privileded
root# chmod –R 750 /var/cache/samba/winbindd_privileded
Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already.
到此已完成加入AD 及用到Samba 自带的Helper for Squid. (squid 自带的在Samba 3 上不能用），余下部分下次再发。

[ 本帖最后由 seewo 于 2006-8-22 19:51 编辑 ]

xh0871

请问楼主
1、要在SQUID中控制WINDOWS中不同群组可上不同网站有办法么
2、我通过 外部acl+wb_group,没能成功。编译时加入winbind
external_acl_type wb_group concurrency=5 ttl=900 %LOGIN /usr/local/squid/libexec/wb_group
#http_access allow all AclName
acl password proxy_auth REQUIRED
acl internetfull external wb_group -i IPVLINK+wt IPVLINK+hhhh

不知道要怎么做了
谢谢

seewo

看完就知道怎么做了. 接下写：

Section 4: Squid2.5 Stable14 Installation and Configuration;
1.        Add a system user squid and a system group squid:
root# useradd –s /bin/false –c “for Squid Only” squid
2.        Squid must also have control over its logging.
root# mkdir /var/log/squid
root# chown squid:squid /var/log/squid
root# chmod 770 /var/log/squid
Finally, Squid must be able to write to its disk cache. Enter the following commands:
root# chown –R squid:squid /cache
root# chmod 770 /cache
3.        Download squid 2.5Stable14 and save it to /usr/local/src:
root# wget http://www.squid-cache.org/Versi ... -2.6.STABLE3.tar.gz
Compile and install Squid-2.6 Stable3
root# tar zxvf squid-2.6.STABLE3.tar.gz
root# cd squid-2.6.STABLE3
root# ./configure --prefix=/usr/local/squid --sysconfdir=/etc/squid --enable-async-io=32 --enable-auth="basic,ntlm" --enable-external-acl-helpers="wbinfo_group " --enable-kill-parent-hack --enable-poll --enable-removal-policies="heap" --disable-icmp --disable-delay-pools --disable-useragent-log -disable-arp-acl --disable-ident-lookups --disable-internal-dns
root# make
root# make install
root# make clean
root# strip /usr/local/squid/sbin/squid
root# strip /usr/local/squid/libexec/dnsserver
root# strip /usr/local/squid/libexec/cachemgr.cgi
4.        Move the cache manager program to /var/www/cgi-bin/
root#mv /usr/local/squid/libexec/cachemgr.cgi /var/www/cgi-bin/cachemgr.cgi
Start the http and squid automatically during boot:
root# chkconfig httpd on
root# ln –s /etc/rc.d/init.d/squid /etc/rc3.d/S96squid
Squid.conf 请看下一贴

[ 本帖最后由 seewo 于 2006-8-22 22:06 编辑 ]

seewo

Squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group Domain_Internet_Users
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers ProxyUsers
说明： Domain_Internet_Users 为 AD 中全局组，只要是此组成员即可上网。

seewo

上面TX 提到怎样控制不同组上不同网站，以下方法我已测试过，没问题！
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group Domain_Internet_Users
acl Google_site dstdomain .google.com
acl GoogleUsers external NT_global_group Google_Groups
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers GoogleUsers Google_site
http_access allow AuthenticatedUsers ProxyUsers

注： Google_Groups同 Domain_Internet_Users 一样为 AD 中全局组.

[ 本帖最后由 seewo 于 2006-8-23 14:41 编辑 ]

xh0871

感谢楼主,不过我的暂时没有成功
[root@squidlinux root]# wbinfo -g
BUILTINwinbind enum users = yesSystem Operators
BUILTINwinbind enum users = yesReplicators
BUILTINwinbind enum users = yesGuests
BUILTINwinbind enum users = yesPower Users
BUILTINwinbind enum users = yesPrint Operators
BUILTINwinbind enum users = yesAdministrators
BUILTINwinbind enum users = yesAccount Operators
BUILTINwinbind enum users = yesBackup Operators
BUILTINwinbind enum users = yesUsers
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
wt
hhhh

[root@squidlinux root]# vi /usr/local/squid/etc/squid.conf
这里参照楼主的(而且是加参数重新编译)如下:
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group wt
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers ProxyUsers
cache_effective_user test
cache_effective_group test

结果:域里的用户不能上网,如果注释external_acl_type 这几行就没有问题

找不出原因在哪,我的SAMBA加入域是用的test加入的
谢谢

seewo

楼上兄弟说清楚点：是用哪个Linux 版本呀，SQUID 用的又是哪个版本，编译选项又是哪些？是跟AD在认证还是跟NT Domain做认证？

xh0871

RedHat9  2.4.20-8
samba-3.0.5-0.5.    krb5-devel-1.2.7   squid-2.5.STABLE2.tar.gz
我的服务器是2003   
想用ntlm做AD认证
服务器里有个   帐户为  xh        群组为  wt
                       
目前用LINUX 做代理服务器(以test用户运行squid) 现已做好认证  也加入了域

客户端(WIN系统IE设置局域网代理,并且也是域中的计算机)目前访问网站不用输入密码

就是在做群组访问控制时(如想控制wt群组可上网),绐终不能实现现在一直在找原因

我把部分状况列出来,帮我看看
samba-3.0.5-0.5.1.i386.rpm
samba-client-3.0.5-0.5.1.i386.rpm
samba-common-3.0.5-0.5.1.i386.rpm
#rpm  -Uvh samb*
下面是samba相关文件
[global]
workgroup = IPVLINK.COM.CN
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 50
security = ads
realm = IPVLINK.COM.CN
password server = win2k3.IPVLINK.COM.CN
encrypt passwords = yes
wins server = win2k3.IPVLINK.COM.CN
dns proxy = no
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/false
winbind use default domain=yes
winbind separator=\
winbind enum users = yes
winbind enum groups = yes
然后重启服务并加入域
net ads join  -U  administrator
[root@squidlinux root]# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
WIN2K3$
krbtgt
IUSR_WIN2K3
IWAM_WIN2K3
evan
gavin
josie
__vmware_user__
WIN2003$
jay
jerry
xh
cdma
HOST/squidlinux
[root@squidlinux root]# wbinfo -g
BUILTINwinbind enum users = yesSystem Operators
BUILTINwinbind enum users = yesReplicators
BUILTINwinbind enum users = yesGuests
BUILTINwinbind enum users = yesPower Users
BUILTINwinbind enum users = yesPrint Operators
BUILTINwinbind enum users = yesAdministrators
BUILTINwinbind enum users = yesAccount Operators
BUILTINwinbind enum users = yesBackup Operators
BUILTINwinbind enum users = yesUsers
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
wt
hhhh
[root@squidlinux root]# wbinfo -r xh
Could not get groups for user xh
不能找到用户所属的组,不确定问题是不是在SAMBA呢?????

编译时用的参数:
./configure --prefix=/usr/local/squid --enable-gnuregex --enable-async-io=80 --enable-icmp --enable-kill-parent-hack --enable-snmp  --disable-ident-lookups  --enable-err-language="Traditional_Chinese"  --enable-poll --enable-linux-netfilter --enable-delay-pools --enable-snmp --enable-cache-digest --enable-auth="basic,ntlm" --enable-baisc-auth-helpers="NCSA" --enable-ntlm-auth-helpers="fakeauth" --enable-underscores --enable-arp-acl --enable-linux-netfilter --enable-external-acl-helpers="wbinfo_group"

配置文件内容:
visible_hostname squidlinux
http_port 3128
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /usr/local/squid/var/cache 1200 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours

external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl ProxyUsers external NT_global_group wt
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers ProxyUsers

cache_effective_user test
cache_effective_group test
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
reply_body_max_size 1048576 allow all
目前
squid以test用户运行
如果注释有颜色Blue的几行
客户机(用xh登录)能上网,
否则就不能上网了


这是目前情况


请楼主(可否留个联系方式)帮我看看
谢谢

[ 本帖最后由 xh0871 于 2006-8-23 18:24 编辑 ]