Squid 整合 Win2K AD 認證的 Proxy Server
緣起:
舊的 win proxy server 經常當機, 重建前考量系統穩定及未來病毒侵擾可能, 我們選擇了 Linux 解決方案, 當然低費用的絕對優勢, 企業主們肯定不會反對.
說明:
OS= Redhat Enterprise Linux AS 4(完全安裝)
Kernel= 2.6.9-22.0.1.ELsmp
Squid= squid-2.5.STABLE6-3 (rpm -qa | grep squid)
Samba= Version 3.0.10-1.4E (smbd -V)
相關的套件均使用內建的版本, 也不用重新編譯.
安裝步驟:
Step 1) 設定 Samba
檢查 Samba 編譯時的參數
#/usr/sbin/smbd -b --with Options: WITH_ADS WITH_AUTOMOUNT WITH_PAM WITH_QUOTAS WITH_SENDFILE WITH_SMBMOUNT WITH_SYSLOG WITH_UTMP WITH_WINBIND <<
參數內需包含 winbind, 如果沒有, 請重新編譯安裝檔, 如果已包含, 請跳過此步驟.
重新編譯 samba rpm:
從官方網站下載相應版本的 source rpm = samba-3.0.10-1.4E.src.rpm
ftp://ftp.redhat.com
#rpm -i samba-3.0.10-1.4E.src.rpm #cd /usr/src/redhat/SPECS #vi samba.spec
找到這幾行
CFLAGS=-D_GNU_SOURCE %configure
--with-acl-support
--with-automount
.....
--with-swatdir=%{_datadir}/swat
後方加上這兩項
--with-winbind --with-winbind-auth-challenge
開始編譯
#rpmbuild -bb samba.spec
如果一切順利且無錯誤訊息, 會產生相關的安裝檔於 /usr/src/redhat/RPMS/i386,
因為要移除原來的 rpm 可能會有相依性的困擾, 由於我們使用相同的原始檔作重新編譯,
當重複安裝時, 可以覆蓋(force)方式安裝.
#service smb stop #cd /usr/src/redhat/RPMS/i386 #rpm -ivh --force samba-3.0.10-1.4E.i386.rpm #rpm -ivh --force samba-client-3.0.10-1.4E.i386.rpm #rpm -ivh --force samba-common-3.0.10-1.4E.i386.rpm #rpm -ivh --force samba-debuginfo-3.0.10-1.4E.i386.rpm #rpm -ivh --force samba-swat-3.0.10-1.4E.i386.rpm
修改 smb.conf 及 krb5.conf
#vi /etc/samba/smb.conf [global] workgroup = NTDOMAIN realm = NTDOMAIN.COM security = ADS #AD網域模式 password server = MyDC #你的Domain Controller encrypt passwords = yes wins server = MYWINS #你的WINS server idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash #選擇性 template homedir = /home/%D/%U winbind use default domain = yes
#vi /etc/krb5.conf
[libdefaults]
default_realm = NTDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
GTTW.COM.TW = { ##要大寫喔
kdc = MyDC
default_domain = NTDOMAIN.COM
admin_server = MyDC
}
[domain_realm]
.gttw.com.tw = NTDOMAIN.COM
gttw.com.tw = NTDOMAIN.COM
將 Linux 加入 AD 網域
#net ads join -U Administrator%mypass
出現錯誤訊息"KDC has no support for encryption type"
請重設 AD Administrator 的密碼,詳細資訊請參考
http://gentoo-wiki.com/HOWTO_Adding_...ting_AD_Domain
修改/var/lib/samba/winbindd_privileged的目錄權限為750, 群組squid, 讓squid可以讀取winbind的socket.
設定與DC溝通時的使用者
# wbinfo --set-auth-user=user%password (具有一般權限使用者即可)
啟動(重啟) Samba & winbind
#service smb restart #service winbind restart
Step 2) 設定 Squid
檢查 Squid 編譯時的參數支援
#squid -v 確認是否有這幾項 --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind --enable-external-acl-helpers="winbind_group,wbinfo_group"
如果未包含, 請重新編譯原始檔, 如果有, 請跳過此步驟.
重新編譯 Squid rpm:
從官方網站下載相應版本的 source rpm = squid-2.5.STABLE6-3.src.rpm
ftp://ftp.redhat.com
#rpm -i squid-2.5.STABLE6-3.src.rpm #cd /usr/src/redhat/SPECS #vi squid.spec
請在適當的地方加上編譯所需的參數.
#rpmbuild -bb squid.spec
安裝 RPM 時請參考上述 Samba 的說明.
修改 squid.conf
# NT challenge Authentication for IE auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes # Plain Text Authentication for others auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours #設定Authorization program,授與使用者群組讀取權限(如果只需驗證是否為網域使用者則不需要) external_acl_type NT_global_group ttl=300 %LOGIN /usr/lib/squid/wbinfo_group.pl #設定Acess Control list, 配合external_acl_type, 若如果只需驗證是否為網域使用者而不限定群組則使用 acl UserGroup proxy_auth REQUIRED 即可 acl UserGroup external NT_global_group "/etc/squid/usergroup" # 允許該群組者存取 http_access allow UserGroup
為了讓程式可以檢驗複數群組,並對應Samba3.0.2(wbinfo -r結果與前版不同)需動手修改/usr/lib/squid/wbinfo_group.pl
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#
# 2003-12-16 Jim Barber
# Added mutiple Group check in Group file
# external_acl uses shell style lines in it's protocol
require 'shellwords.pl';
# Disable output buffering
$|=1;
sub debug {
# Uncomment this to enable debugging
# print STDERR "@_n";
}
#
# Check if a user belongs to a group
#
sub check {
local($user, @group) = @_;
local($group);
foreach $group (@group)
{
$groupSID = `wbinfo -n "$group"`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
&debug( "User: -$user-nGroup: -$group-nSID: -$groupSID-nGID: -$groupGID-");
return 'OK' if(`wbinfo -r Q$userE` =~ /^$groupGID$/m);
}
return 'ERR';
}
#
# Main loop
#
while (<STDIN>) {
chop;
&debug ("Got $_ from squid");
($user, @group) = &shellwords;
$ans = &check($user, @group);
&debug ("Sending $ans to squid");
print "$ansn";
}
**紅字為修改的部份
建立/etc/squid/usergroup檔, 並加入允許存取squid之AD群組, 內容如
Domain Admins Internet User
設定完成, 啟動 Squid ,可以進行測試了.
#service squid start
FAQ:
1. 為方便除錯進行, 我們建議先不考慮與 AD 認證之設定下, 確定 Squid 可正常工作, 我們也確實因此發現 SELinux service 的影響.
2. squid 重啟失敗, squid -v 無輸出等狀況, 請關閉 SELinux 的 Squid 項, Desktop-->Applications->security level-->SELinux--SELinux Service Protection-->Disable SELinux Protection for squid daemon
3. 如何檢查 Linux 與 AD 的連線及帳號存取???
成功 Join win2K AD 後可使用這些指令驗證.
wbinfo -g //顯示AD 的所有群組
wbinfo -u //顯示AD 的所有帳號
wbinfo -a myid%mypass //帳號登入驗證
wbinfo -t //與 AD 連線測試
wbinfo -n "somegroup" //Convert group name to sid
4. 可顯示 AD 的帳號及群組, 但使用 wbinfo -n 轉換 sid 時出現"Could not lookup name"???
經筆者找遍網路文章, 都無法解決, 最後下載官方最新版 3.0.21 ,以編譯方式安裝才獲得解決.
請注意,此版雖然可正常轉換 sid, 但輸入格式與舊版不同, 當整合 wbinfo_group.pl 時, 需作程式碼修正.
請修改 /usr/lib/squid/wbinfo_group.pl
找到這幾行
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group"`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
改成這樣
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
5. 用戶端數量在超過 15 個時, 會發生連線不順暢, 經常需要重新整理網頁才可顯示正常, 且下載檔案時會不時中斷.
A:請檢查 cache.log 是否有警告訊息
===========================
WARNING: All ntlmauthenticator processes are busy.
2006/04/14 09:17:01|
WARNING: up to 14 pending requests queued
2006/04/14 09:17:01|
Consider increasing the number of ntlmauthenticator processes to at least 19 in your config file.
===========================
請加大這個參數的值-->20
auth_param ntlm children 20 auth_param basic children 20
6. How to avoid JVM authentication dialog box.
A:Add the following
acl java_jvm browser Java
Then,before your http_access for the authenticated users, use:
http_access allow java_jvm
- 標籤 (Edit tags)
- 什麼連接到這裡
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |