Proxy AD

Squid integrado com AD Windows Server
Ambiente Linux
# lsb_release -idrc
Distributor ID: CentOS
Description:
CentOS release 6.4 (Final)
Release:
6.4
Codename:
Final
# uname -vr
2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013
Ambiente Windows
Windows 2008 R2 Enterprise

Service Pack 1
Filesets necessrios
samba-winbind-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
krb5-libs-1.10.3-10.el6_4.2.x86_64
squid-3.1.10-16.el6.x86_64
Preparando o ambiente do Linux
Liberar as portas LDAP, 88 udp 389 no Firewall (fw -> loc)
yum install krb5-server krb5-libs krb5-auth-dialog

yum install ntp
yum install samba
yum install ntp
Parando o servio de firewall que vem habilitado por padro nesta verso do CentOS
# service iptables stop

# service ip6tables stop
# chkconfig iptables off
# chkconfig ip6tables off
O SELINUX tem que estar desabilitado, se estiver habilitado altere para disabled e execute o
comando "shutdown -r now" antes de prosseguir com os prximos passos
# grep "^SELINUX=" /etc/selinux/config

SELINUX=disabled
Verificando a resoluo de nomes, o DNS primrio tem que ser o AD
# vi /etc/resolv.conf
nameserver 10.38.54.52
nameserver 10.38.54.253
Preparando as configuraes para o Kerberos
# vi /etc/krb5.conf
[libdefaults]
default_realm = CANCELLA.BR
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CANCELLA.BR = {
kdc = 10.38.54.52
admin_server = 10.38.54.52:749
default_domain = 10.38.54.52
}
[domain_realm]
.cancella.br = CANCELLA.BR
cancella.br = CANCELLA.BR
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Configurando a autenticao com o winbind arquivo /etc/nsswitch.conf
passwd:
winbind files
shadow:
files
group:
winbind files
Padronizao da resoluo de nomes pelo arquivo /etc/hosts
# vi /etc/hosts
127.0.0.1
localhost.cancella.br
localhost
10.38.54.111 firewall.cancella.br
firewall
10.38.54.52
WIN-NLGEC8QTEQ8
WIN-NLGEC8QTEQ8.cancella.br
# hostname firewall.cancella.br
# grep HOSTNAME /etc/sysconfig/network
HOSTNAME=firewall.cancella.br
Alteraes do arquivo smb.conf para autenticao com o ADS
# cat /etc/samba/smb.conf | grep -v "^#" | grep -v "\;" | grep -v "^$"

> /tmp/smb.out
# mv /tmp/smb.out /etc/samba/smb.conf
# vi /etc/samba/smb.conf
[global]
workgroup = CANCELLA
realm = CANCELLA.BR
server string = Samba Server Version %v
security = ADS
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# testparm -s
Teste de integrao com o AD
# net ads lookup -S CANCELLA.BR -U administrator

Enter administrator's password:
Information for Domain Controller: 10.38.54.52
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 1d6cc770-17f0-4f6f-8a36-6f0e07d290e1
Flags:
Is a PDC:
yes
Is a GC of the forest:
yes
Is an LDAP server:
yes
Supports DS:
yes
Is running a KDC:
yes
Is running time services:
yes
Is the closest DC:
yes
Is writable:
yes
Has a hardware clock:
yes
Is a non-domain NC serviced by LDAP server: no

Is NT6 DC that has some secrets:
no
Is NT6 DC that has all secrets:

Forest:
cancella.br
Domain:
cancella.br
Domain Controller:
WIN-NLGEC8QTEQ8.cancella.br
Pre-Win2k Domain:
CANCELLA
Pre-Win2k Hostname:
WIN-NLGEC8QTEQ8
yes
Server Site Name :
Default-First-Site-Name
Client Site Name :
Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
Ajuste de data e hora
Verificando o offset de data/hora com o servidor AD, os relgios entre o servidor Linux e o Windows
tem que estar sincronziados.
# ntpdate pcdsh05.on.br
6 Jun 15:48:31 ntpdate[11422]: step time server 200.20.186.75 offset
-3.401446 sec
# net ads info
LDAP server: 10.38.54.52
LDAP server name: WIN-NLGEC8QTEQ8.cancella.br
Realm: CANCELLA.BR
Bind Path: dc=CANCELLA,dc=BR
LDAP port: 389
Server time: Qui, 06 Jun 2013 15:55:58 BRT
KDC server: 10.38.54.52
Server time offset: -6
Adicionando o servidor Linux no domnio do AD
Levantar o nome do host do windows server, abrindo o powershell ou o aviso do dos e executar o
comando hostname, neste setup gerou um erro de DNS que atribuo a configurao do DNS do AD.
# smbclient -L WIN-NLGEC8QTEQ8 -U Administrator%*********

Domain=[CANCELLA] OS=[Windows Server 2008 R2 Enterprise 7601 Service
Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1]
Sharename
Type
Comment
---------
----
-------
ADMIN$
Disk
Remote Admin
C$
Disk
Default share
IPC$
IPC
Remote IPC
NETLOGON
Disk
Logon server share
SYSVOL
Disk
Logon server share
Domain=[CANCELLA] OS=[Windows Server 2008 R2 Enterprise 7601 Service

Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1]
Server
Comment
---------
-------
Workgroup
Master
---------
-------
# net ads join -U Administrator%p0w3r7@2013

Using short domain name -- CANCELLA
Joined 'FIREWALL' to dns domain 'cancella.br'
No DNS domain configured for firewall. Unable to perform DNS Update.
DNS update failed!
# net ads testjoin
Join is OK
Ativando os servios do samba e do winbind
# service smb start

# service nmb start
# service winbind start
# chkconfig smb on
# chkconfig nmb on
# chkconfig winbind on
Verificando a conectividade com o AD em relao aos grupos e usurios
# wbinfo -u
administrator
guest
krbtgt
jorge.back
danton
thadeu.sandero
lucia.rocha
joao.silva
jose.santos
luis.oliveira
lucas.sousa
matheus.pereira
felipe
openfire
novo1
novo2
usuario1
usuario2
# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
suporte
administrativo
treinamento
spark
comercial
atendimento
cancella-matriz
cancella-filia
Ajuste do ambiente
Ajustar a permisso para acesso as informaes do winbind.
# ls -ld /var/lib/samba/winbindd_privileged
drwxr-x---. 2 root wbpriv 4096 Jun
/var/lib/samba/winbindd_privileged
6 17:15
# chgrp squid /var/lib/samba/winbindd_privileged

Configurando o SQUID para operar integrado ao AD
No squid verso 3 existem entradas de acl localnet que esta pr configurada e deve ser comentada,
as entradas abaixo devem respeitar uma ordem, (o parmetro -v 3 no deve ser usado para
ambientes Win2k3)
# vi /etc/squid.conf
...
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-
2.5-ntlmssp
auth_param ntlm children 5
auth_param basic realm Servidor Proxy Cancella Informatica
auth_param basic credentialsttl 2 hours
...
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group
-R -b
\
"dc=cancella,dc=br" -B "dc=cancella,dc=br"
-f "(&(cn=%a)(member=%v)(objectClass=group))" \
-F "(|(samAccountName=%s)(cn=%s))"
-D "CN=Administrator,CN=Users,dc=cancella,dc=br" -w
p0w3r7@2013 -v 3 -h 10.38.54.52
acl auth_users proxy_auth REQUIRED
...
acl grp_suporte
external ldap_group suporte
acl grp_comercial
external ldap_group comercial
acl grp_cancella-matriz
external ldap_group cancella-matriz
...
acl sites_liberados
url_regex -i "/etc/squid/sites_liberados"
acl sites_padrao
url_regex -i "/etc/squid/sites_padrao"
acl sites_bloqueados
url_regex -i "/etc/squid/sites_bloqueados"
acl sites_comercial
url_regex -i "/etc/squid/sites_comercial"
acl palavras
url_regex -i "/etc/squid/palavras"
acl sites_noticias
url_regex -i "/etc/squid/sites_noticias"
...
http_access allow sites_liberados
http_access allow grp_suporte
!sites_bloqueados !palavras
http_access allow grp_comercial
sites_comercial
http_access allow grp_cancella-matriz
!sites_bloqueados !palavras
sites_padrao
http_access deny all

# service squid start
# chkconfig squid on
squidGuard b u C all
chown -R squid:squid /var/squidGuard/db/*
find /var/squidGuard/db type f | xargs chmod 644
find /var/squidGuard/db type d | xargs chmod 755
service squid reload
squid k reload
squid k reconfigure

Proxy AD

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Proxy AD

Enviado por

Direitos autorais:

Formatos disponíveis

Squid integrado com AD Windows Server

CentOS release 6.4 (Final)

Windows 2008 R2 Enterprise

yum install krb5-server krb5-libs krb5-auth-dialog

# service iptables stop

# grep "^SELINUX=" /etc/selinux/config

Padronizao da resoluo de nomes pelo arquivo /etc/hosts

# cat /etc/samba/smb.conf | grep -v "^#" | grep -v "\;" | grep -v "^$"

# net ads lookup -S CANCELLA.BR -U administrator

Is running time services:

Is the closest DC:

Has a hardware clock:

Is a non-domain NC serviced by LDAP server: no

Is NT6 DC that has all secrets:

Server Site Name :

Client Site Name :

# smbclient -L WIN-NLGEC8QTEQ8 -U Administrator%*********

Logon server share

Logon server share

Domain=[CANCELLA] OS=[Windows Server 2008 R2 Enterprise 7601 Service

# net ads join -U Administrator%p0w3r7@2013

# service smb start

# chgrp squid /var/lib/samba/winbindd_privileged

external ldap_group suporte

external ldap_group comercial

external ldap_group cancella-matriz

http_access allow grp_comercial

http_access allow grp_cancella-matriz

http_access deny all

Você também pode gostar