ExtMail服务器社区's Archiver

wwmhero 发表于 2009-12-5 19:58

Debian + squid + samba + winbind + krb5 实现域认证

周六折腾了一天,终于搞定squid代理服务器通过 Windows 2003 域认证。分享一下:
注:假设windows域为 XXX.COM ,域服务器IP:1.2.3.4

[b]1、安装krb5[/b][code]apt-get install krb5-config krb5-user[/code]配置krb[code]vi /etc/krb5.conf[/code][code][libdefaults]
default_realm = XXX.COM   
……
[realms]
        XXX.COM = {               
                kdc = 1.2.3.4      
        }
[domain_realm]
        .xxx.com = XXX.COM   

[/code]测试krb5:[code]kinit administrator@XXX.COM[/code][b]2、安装 samba[/b][code]apt-get install samba[/code]配置samba[code]vi /etc/samba/smb.conf[/code][code][global]
workgroup = XXX
realm = XXX.COM
preferred master = no
server string = squid
security = ADS
password server = 1.2.3.4
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
[/code][b]3、安装 winbind[/b][code]apt-get install winbind[/code]配置winbind[code]vi /etc/nsswitch.conf[/code][code]passwd:         files winbind
group:          files winbind[/code][b]4、将服务器加入WINDOWS域[/b][code]vi /etc/resolv.conf[/code][code]name server 1.2.3.4[/code][code]net ads join -U administrator[/code]此时系统要求验证域管理员的密码,敲入密码即可加入windows域,然后重启两个服务[code]/etc/init.d/samba restart
/etc/init.d/winbind restart[/code]测试winbind[code]wbinfo -t
wbinfo -u
wbinfo -g[/code][b]5、安装squid[/b][code]apt-get install squid[/code]配置squid[code]vi /etc/squid/squid.conf[/code][code]……
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours

acl NTLMUsers proxy_auth REQUIRED

http_access allow all NTLMUsers
……[/code][b]6、赋予squid进程使用winbind验证的权限[/b][code] chown root:proxy /var/run/samba/winbindd_privileged
chmod 750 /var/run/samba/winbindd_privileged[/code]为浏览器配置代理服务器 yourip:3128 搞定! o(∩_∩)o...哈哈

[[i] 本帖最后由 wwmhero 于 2009-12-5 20:58 编辑 [/i]]

liushaobo 发表于 2009-12-5 22:28

顶呀,兄弟再接再厉

lolizeppelin 发表于 2009-12-8 14:20

为什么要用squid ?直接samba补就可以了?
samba配置有个关键是在hosts里面一定要加自己,不然net ads jion的时候会报错(但是windows里面是看见加入了的,不过信息比正常加入少了一点)

mouse 发表于 2009-12-9 22:48

超强,不过太长,没怎看,帮楼主老大顶。

页: [1]

Powered by Discuz! Archiver 7.0.0  © 2001-2009 Comsenz Inc.