Статья добавлена: 2013-09-30 18:53:36
Автор: Сергей

Squid авторизация через домен


Устанавливаем samba c поддержкой :
  • ACL_SUPPORT=off: ACL support
    ADS=on: Active Directory support
    AIO_SUPPORT=off: Asyncronous IO support
    AVAHI=off: Zeroconf support via Avahi
    CUPS=off: CUPS printing system support
    DNSUPDATE=off: Dynamic DNS update(require ADS)
    EXP_MODULES=off: Experimental modules
    FAM_SUPPORT=off: File Alteration Monitor
    IPV6=off: IPv6 protocol support
    LDAP=on: LDAP support
    MAX_DEBUG=on: Maximum debugging
    PAM_SMBPASS=off: PAM authentication vs passdb backends
    POPT=off: System-wide POPT library
    PTHREADPOOL=off: Pthread pool
    QUOTAS=off: Disk quota support
    SMBTORTURE=off: smbtorture
    SWAT=off: SWAT WebGUI
    SYSLOG=off: Syslog support
    UTMP=off: UTMP accounting support
    WINBIND=on: WinBIND support

После установки добавляем в файл rc.conf
  • samba_enable="YES"
    winbindd_enable="YES"

Конфигурационный файл /usr/local/etc/smb.conf приводим к следующему виду
  • [global]
    workgroup = LINOR
    netbios name = proxy
    security = domain

    log file = /var/log/samba/log.%m

    # Put a capping on the size of the log files (in Kb).
    max log size = 500
    password server = UTS.LINOR.NET


    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes

    # Charset settings
    # display charset = koi8-r
    # unix charset = koi8-r
    # dos charset = koi8-r

    # These scripts are used on a domain controller or stand-alone
    # machine to add or delete corresponding unix accounts
    ; add user script = /usr/sbin/useradd %u
    ; add group script = /usr/sbin/groupadd %g
    ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
    ; delete user script = /usr/sbin/userdel %u
    ; delete user from group script = /usr/sbin/deluser %u %g
    ; delete group script = /usr/sbin/groupdel %g

Добавляем в домен
  • net rpc join -S server.local -U Administrator

Перезапускаем samba
  • service samba restart

Добавляем права на /var/db/samba/winbindd_privileged
  • chown -R root:squid /var/db/samba/winbindd_privileged

Устанавливаем squid 2.7 из портов:
cd /usr/ports/www/squid
make install clean
Squid ставим со следующими параметрами
  • --enable-auth="ntlm,basic"
    --enable-external-acl-helpers="wbinfo_group"

В конфиг squid который находится на /usr/local/etc/squid/squid.conf
  • auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 30

    # warning: basic authentication sends passwords plaintext
    # a network sniffer can and will discover passwords
    auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

И также записи для аутенфикации
  • acl AuthorizedUsers proxy_auth REQUIRED
    ..
    http_access allow all AuthorizedUsers

Добавляем в rc.conf
  • squid_enable="YES"

Стартуем squid:
  • service squid start