|
Autentificacion de Squid contra Active Directory |
|
|
|
|
Origen: Pablo Sarubbi - Efraim Wainerman
|
|
martes, 06 de marzo de 2007 |
En este articulo veremos una de las formas de instalar y configurar Squid para que autentique contra un servidor Windows 2003 con Active Directory.
Para ello elegimos la version Etch de Debian. Una vez instalada y actualizada procedemos a instalar el software complementario.
Mediante el uso del queridisimo comando apt-get install:
- squid
- squid-common
- samba-common
- libsmbclient
- smbclient
- libkrb53
- krb5-kdc
- krb5-config
- krb5-user
- winbind
Despues de asegurarnos que todos estos paquetes quedaron instalados tenemos que tocar un par de archivos de configuracion:
/etc/squid/squid.conf
# Active Directory configuration
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
# Solo permitir usar el proxy a los usuarios autenticados
acl authenticated_users proxy_auth REQUIRED
...
http_access allow authenticated_users
/etc/samba/smb.conf
[global]
netbios name = proxyserver
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
password server = dc01.domain.com dc02.domain.com dc03.domain.com
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
/etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
kdc = dc01.domain.com:88
kdc = dc02.domain.com:88
kdc = dc03.domain.com:88
admin_server = dc01.domain.com:749
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = dc01.domain.com
domain.com = dc01.domain.com
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/pam.d/samba
auth required pam_nologin.so
auth required pam_stack.so service=system-auth-winbind
account required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
/etc/pam.d/squid
auth required /lib/security/pam_stack.so service=system-auth-winbind
account required /lib/security/pam_stack.so service=system-auth-winbind
/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
Luego, y esto es muy importante, con un usuario de administrador de la red, ejecutamos:
net ads join Servers/Linux -U AdminAcct -S dc01.domain.com
En teoria esto seria todo.
Suerte
Links:
1. http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#winbind
2. http://info.ccone.at/INFO/Samba-2.2.12/winbindd.8.html
3. http://acd.ucar.edu/~fredrick/linux/samba3/
4. http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
Nota 1:
root# wbinfo -u --> para listar todos los usuarios de la red
root# wbinfo -g --> para listar todos los grupos de la red
root# getent passwd --> muestra los datos completos de cada usuario
root# getent group --> muestra los datos completos de cada grupo
|
