I would normally logon and install ssh and vim to make life a little easier
# apt-get install ssh vimSamba
we will need to install samba, winbind and kerberos client to get authentication working with Active Directory:
# apt-get install samba winbind krb5-userIf the Samba Server configuration asks you for a "Workgroup/Domain name" you can use short name that you specified for the domain when you created it but as we will replace this file shortly it doesn't actually matter what you put.
Now run re-configuration for krb5-config:
# dpkg-reconfigure krb5-configDefault Kerberos version 5 realm: <FQDN for your AD domain in caps>
Add the kerberos server names for your domain: yes
Kerberos servers for your realm: <FQDN of your primary domain controller>
Administrative server for your kerberos realm: <FQDN of your primary domain controller>
We can test that kerberos is working by running the kinit command, the format of the command is:
kinit <username>@<FQDN for your AD domain in caps>So for example, if our FQDN for the domain is test.local and we are using the administrator account we would type:
kinit administrator@TEST.LOCALIf all is well it will ask for the password for the above account, if it accepts the password it will simply return you to the prompt, if there is something amiss it will report an error.
Move the /etc/samba/smb.conf file somewhere safe:
# mv /etc/samba/smb.conf /etc/samba/smb.old.confCreate a new file containing the following:
netbios name = <this machine name>
workgroup = <shortname for you domain>
password server = <FQDN for your domain controller>
realm = <FQDN for your domain>
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
Restart the samba services:
/etc/init.d/samba restart ; /etc/init.d/winbind restartJoin the active directory with:
net ads join -U administratorIf you receive a "DNS update failed" error you should manually add this server to the DNS server for the domain.
Restart the samba services:
/etc/init.d/samba restart ; /etc/init.d/winbind restartCheck the the following commands return with a success:
# wbinfo -t
Success of the above command confirms connection to the domain controller.
# wbinfo -uLists users (local and domain).
# wbinfo -gLists domain groups.
Install the squid packages:
# apt-get install squidCopy the squid.conf somewhere safe:
# cp /etc/squid/squid.conf /etc/squid/squid.conf.oldEdit /etc/squid/squid.conf and uncomment (remove the hash from) the following line:
#http_access allow localnetAssuming you are using a RFC1918 network range on your network this will allow you to use the proxy. Save the file and restart squid with:
/etc/init.d/squid restartLog in to a domain joined windows box that is logged on as a domain user in the inetaccess group (or which ever group you chose earlier to add to the auth_param directives). Set the browser to use squid as it's proxy server (squid runs on port 3128) and see if you can get to the internet. If not, you will need to concentrate on getting squid working as a simple proxy before you try to add authentication into the mix.
You will need to choose or create a security group within your Active Directory domain that we will use for deciding which users can authenticate with squid. I have chosen the group named inetaccess (a single word for the name of the group so we don't have to deal with spaces in the group name) and added as members all the users I want to give internet access to this group.
Edit squid.conf with the following changes:
Add the following auth_param section:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=<short name of the domain>+inetaccessIf you want basic (very insecure, but handy for fallback) authentication then you will also need the following auth_param section.
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=<short name of the domain>+inetaccessTo stop the leaking of your client IP addresses out of the proxy, set forwarded_for to off
auth_param basic children 3
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours
forwarded_for offAdd the following after the existing acl entries:
acl users proxy_auth REQUIREDComment out (add a hash to the front of) the line we uncommented before:
http_access allow localnet
Add the following after the http_access, but BEFORE http_access deny all
http_access allow usersRestart squid
/etc/init.d/squid restartUsing the same domain joined windows box that is logged on as a domain user that you confirmed things were working from earlier see if you still have access.
If you are not sure why squid is not letting you through, try changing the debug in the squid.conf to:
debug_options ALL,1 33,8Try the proxy again and then look though the log file /var/log/squid/cache.log for clues as to what is going on.
Windows machines running on the Vista or Windows 7 code base (so this includes Windows server 2008 & 2008 R2) by default have a local policy setting that prevents you from authenticating with squid using the older version of NTLM. If you go into the local security policy management console then "local Policies"->"Security Options"->"Network security: LAN Manager authentication level" and set it to "Send LM & NTLM - Use NTLMv2 session security if negotiated" then reboot.
You can set this by group policy if you have a lot of machines to change, also if you find that this setting is not taking effect then maybe group policy is changing it back.
Post a Comment