Windows Active Directory UserName/Password integration with SQUID

Windows Active Directory UserName/Password integration with SQUID

by -
0 1602

Step By Step Configuration

Step-1

Please check whether the following packages have been installed:

krb5-libs

krb5-workstation

samba-client

samba

samba-common

squid

Step-2

The Squid server must time synchronise against the AD clock. Configuring ntpd to sync against the same time source as the AD server.

In Linux Server

ntpdate pool.ntp.org

And them, the windows:

C:\> net time /setsntp:pool.ntp.org

C:\> net stop w32time & net start w32time

Step-3

Now edit /etc/nsswitch.conf, and modify this lines.

 

vi /etc/nsswitch.conf

 

passwd: compat

group: compat

 

 

.to this.

 

passwd: compat winbind

group: compat winbind

 

SQUID with AD

Step-4

( Resolve all possible ) 192.168.0.58 is linux server and 192.168.0.250 is Windows Active Directory Server

 

# vi /etc/hosts

 

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1               localhost.localdomain localhost

::1             localhost6.localdomain6 localhost6

192.168.0.58   linux.kvit.in LINUX LINUX.KVIT.IN

192.168.0.250   WIN-UHEVJCB6YZM.kvit.in win-uhevjcb6yzm.kvit.in

192.168.0.250   kvit.in KVIT KVIT.IN

 

 

Modify as required .. here kvit.in is domain name in AD Server and /etc/resolv.conf ( name server 192.168.0.250)

Step-5

Modify /etc/krb5.conf as follows.

 

Note: Please use the correct domain for the enviroment to replace KVIT.IN and example.com and the correct AD server name for the enviroment to replace win-uhevjcb6yzm.kvit.in

 

 

# vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

default_realm = KVIT.IN

dns_lookup_realm = false

dns_lookup_kdc = true

ticket_lifetime = 24h

forwardable = yes

 

[realms]

KVIT.IN = {

kdc = win-uhevjcb6yzm.kvit.in:88

admin_server = win-uhevjcb6yzm.kvit.in:749

default_domain = kvit.in

}

 

[domain_realm]

.kvit.in = KVIT.IN

kvit.in = KVIT.IN

 

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

Step-6

Modify /etc/samba/smb.conf as follows. Note: please use the correct domain for the enviroment to replace KVIT and the correct AD Server name for the enviroment to replace win-uhevjcb6yzm.kvit.in.

 

[global]

workgroup = KVIT

netbios name = linux

server string = Samba Server

hosts allow = 192.168.0. 127.

printcap name = /etc/printcap

load printers = yes

cups options = raw

log file = /var/log/samba/%m.log

max log size = 50

security = ADS

password server = win-uhevjcb6yzm.kvit.in

realm=KVIT.IN

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

dns proxy = no

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/false

winbind use default domain = yes

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

dns proxy = no

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/false

winbind use default domain = yes

Step-7

Make sure that the smb and winbind services have been stoped.

 

service smb stop

service winbind stop

 

Step-7

Join the server to the AD domain.

 

kinit

 

for example:

 

kinit Administrator

 

This may need to be done a couple of times as it may take a while and fail. If this happens, try again.

Now, to do the actual join:

 

net ads join -U

 

for example:

 

net ads join -U Administrator

Step-8

This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain.

Restart the smb and winbind services.

service smb start
service winbind start

Step-9

This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain.

Restart the smb and winbind services.

service smb start

service winbind start

 

Now, to check whether winbind has successfully negotiated and joined the network:

wbinfo -t

wbinfo -u

Step-10

Configure Squid to use the Samba3 ntlm_auth program for authentication. Modify /etc/squid/squid.conf as follows:
#vi /etc/squid.conf

auth_param  ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl lcl src 192.168.0.0/16
acl auth proxy_auth REQUIRED
http_access allow auth
http_access deny all


Start the squid service.

service squid start

CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 1236

0 897

NO COMMENTS

Leave a Reply

Required Captcha *