Escolar Documentos
Profissional Documentos
Cultura Documentos
Ambiente Linux
# lsb_release -idrc
Distributor ID: CentOS
Description:
Release:
6.4
Codename:
Final
# uname -vr
2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013
Ambiente Windows
samba-winbind-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
krb5-libs-1.10.3-10.el6_4.2.x86_64
squid-3.1.10-16.el6.x86_64
Preparando o ambiente do Linux
Liberar as portas LDAP, 88 udp 389 no Firewall (fw -> loc)
Parando o servio de firewall que vem habilitado por padro nesta verso do CentOS
# vi /etc/resolv.conf
nameserver 10.38.54.52
nameserver 10.38.54.253
Preparando as configuraes para o Kerberos
# vi /etc/krb5.conf
[libdefaults]
default_realm = CANCELLA.BR
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CANCELLA.BR = {
kdc = 10.38.54.52
admin_server = 10.38.54.52:749
default_domain = 10.38.54.52
}
[domain_realm]
.cancella.br = CANCELLA.BR
cancella.br = CANCELLA.BR
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Configurando a autenticao com o winbind arquivo /etc/nsswitch.conf
passwd:
winbind files
shadow:
files
group:
winbind files
# vi /etc/hosts
127.0.0.1
localhost.cancella.br
localhost
10.38.54.111 firewall.cancella.br
firewall
10.38.54.52
WIN-NLGEC8QTEQ8
WIN-NLGEC8QTEQ8.cancella.br
# hostname firewall.cancella.br
# grep HOSTNAME /etc/sysconfig/network
HOSTNAME=firewall.cancella.br
Alteraes do arquivo smb.conf para autenticao com o ADS
# mv /tmp/smb.out /etc/samba/smb.conf
# vi /etc/samba/smb.conf
[global]
workgroup = CANCELLA
realm = CANCELLA.BR
server string = Samba Server Version %v
security = ADS
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# testparm -s
Teste de integrao com o AD
yes
Is a GC of the forest:
yes
Is an LDAP server:
yes
Supports DS:
yes
Is running a KDC:
yes
yes
yes
Is writable:
yes
yes
no
cancella.br
Domain:
cancella.br
Domain Controller:
WIN-NLGEC8QTEQ8.cancella.br
Pre-Win2k Domain:
CANCELLA
Pre-Win2k Hostname:
WIN-NLGEC8QTEQ8
yes
Default-First-Site-Name
Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
Ajuste de data e hora
Verificando o offset de data/hora com o servidor AD, os relgios entre o servidor Linux e o Windows
tem que estar sincronziados.
# ntpdate pcdsh05.on.br
6 Jun 15:48:31 ntpdate[11422]: step time server 200.20.186.75 offset
-3.401446 sec
# net ads info
LDAP server: 10.38.54.52
LDAP server name: WIN-NLGEC8QTEQ8.cancella.br
Realm: CANCELLA.BR
Bind Path: dc=CANCELLA,dc=BR
LDAP port: 389
Server time: Qui, 06 Jun 2013 15:55:58 BRT
KDC server: 10.38.54.52
Server time offset: -6
Adicionando o servidor Linux no domnio do AD
Levantar o nome do host do windows server, abrindo o powershell ou o aviso do dos e executar o
comando hostname, neste setup gerou um erro de DNS que atribuo a configurao do DNS do AD.
Type
Comment
---------
----
-------
ADMIN$
Disk
Remote Admin
C$
Disk
Default share
IPC$
IPC
Remote IPC
NETLOGON
Disk
SYSVOL
Disk
Comment
---------
-------
Workgroup
Master
---------
-------
# wbinfo -u
administrator
guest
krbtgt
jorge.back
danton
thadeu.sandero
lucia.rocha
joao.silva
jose.santos
luis.oliveira
lucas.sousa
matheus.pereira
felipe
openfire
novo1
novo2
usuario1
usuario2
# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
suporte
administrativo
treinamento
spark
comercial
atendimento
cancella-matriz
cancella-filia
Ajuste do ambiente
Ajustar a permisso para acesso as informaes do winbind.
# ls -ld /var/lib/samba/winbindd_privileged
drwxr-x---. 2 root wbpriv 4096 Jun
/var/lib/samba/winbindd_privileged
6 17:15
# vi /etc/squid.conf
...
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-
2.5-ntlmssp
auth_param ntlm children 5
auth_param basic realm Servidor Proxy Cancella Informatica
auth_param basic credentialsttl 2 hours
...
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group
-R -b
\
"dc=cancella,dc=br" -B "dc=cancella,dc=br"
-f "(&(cn=%a)(member=%v)(objectClass=group))" \
-F "(|(samAccountName=%s)(cn=%s))"
-D "CN=Administrator,CN=Users,dc=cancella,dc=br" -w
p0w3r7@2013 -v 3 -h 10.38.54.52
acl auth_users proxy_auth REQUIRED
...
acl grp_suporte
acl grp_comercial
acl grp_cancella-matriz
...
acl sites_liberados
url_regex -i "/etc/squid/sites_liberados"
acl sites_padrao
url_regex -i "/etc/squid/sites_padrao"
acl sites_bloqueados
url_regex -i "/etc/squid/sites_bloqueados"
acl sites_comercial
url_regex -i "/etc/squid/sites_comercial"
acl palavras
url_regex -i "/etc/squid/palavras"
acl sites_noticias
url_regex -i "/etc/squid/sites_noticias"
...
http_access allow sites_liberados
http_access allow grp_suporte
!sites_bloqueados !palavras
sites_comercial
!sites_bloqueados !palavras
sites_padrao
squidGuard b u C all
chown -R squid:squid /var/squidGuard/db/*
find /var/squidGuard/db type f | xargs chmod 644
find /var/squidGuard/db type d | xargs chmod 755
service squid reload
squid k reload
squid k reconfigure