Installing Squid with Active Directory Authentication(野蔷薇Linux系列)

ccc (离线)	楼主-> 我在做什么... 发表于 07-09-20 08:18 Installing Squid with Active Directory Authentication 原文来自：野蔷薇 http://www.yeqiangwei.com/club/f10b0l0fp1t240148p1.html 原始连接：[url="http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/" target="_blank"]http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/[/url] Proxy servers are fairly essential devices that should be part of a network’s perimeter defense strategy. They are devices that allow clients to indirectly access network services via a connection through them. In an enterprise environment, proxy servers are used to aid in enforcement of acceptable use and security policies. There are a number of reasons for using a proxy server as part of securing a network but that is beyond the scope of this document. The 10 Legged Creature.One of the premier proxy servers available today is Squid. It is the most popular HTTP proxy available today, mainly because it is offers a comprehensive set of features, is highly configurable all while being open source and free. It runs on just about any Linux distribution and scales better than any other application of its kind. For the sake of this exercise, Squid is being deployed to an enterprise network to act in the capacity of a web proxy. By doing so, Squid will be an intermediary for all web browsing between network users and the destinations web sites they desire to browse. When a user requests to visit a site that request will go first to Squid, which will then establish a connection with the destination, transfer the data from the web site to its cache and then pass that data back to the requesting user. In many instances Squid will even pass the data from its local cache back to the users, both saving time and precious bandwidth. Depending on which algorithm is selected when configuring Squid will determine how Squid decides whether or not to serve the local cache to a user or whether to fetch new data. Mayday, Mayday!When I set out to install Squid so that it could perform active directory authentication I was unable to locate any single resource that could explain, in detail, the steps required in order to make this happen. What I did find, however, was a variety of instructions related to various aspects of the entire process. The sum of all the information that I discovered is contained in this document, which will hopefully serve as a means of helping someone else achieve the same goal I was aiming for. The following are the instructions for installing Squid Proxy Server so that it performs Active Directory authentication off of a Windows 2003 domain controller. Squid is configured so that the browsers must explicitly point to it, which means that it is not being setup to function as a transparent proxy. This entire design was performed on a Dell 1650 running Gentoo Linux 2006.0. Although the act of downloading, compiling and installing applications on a Gentoo box is slightly different than that of an RPM based distribution (like Red Hat) the same basic configuration directions are applicable. The key difference is Gentoo’s USE flag convention whereas the other distributions will force the use of compile time options (i.e. using “–with-winbind” when running configure, as an example). The following software is necessary in order to make all of this work as planned. [ul][li]Squid Proxy Server [/li][li]SAMBA [/li][li]OpenLDAP [/li][li]MIT Kerberos [/li][/ul]Installation of this software on Gentoo is rather easy however there is a USE flag caveat. In order to ensure that the software is compiled with the necessary options to make this all work properly specific Gentoo USE flags need to be set. This can be done on the command-line while emerging the software or by modifying the make.conf file. Whichever method is selected, the following USE flags need to be set: <code>USE="kerberos ldap pam"</code> Using the command-line, emerge the software as follows: <code>USE="kerberos ldap pam" emerge squid samba openldap mit-krb5</code> If make.conf was updated to reflect the necessary USE flags then do the following: <code>emerge squid samba openldap mit-krb5</code> Once emerge is done working the lovely magic it performs it will be time to modify the various configuration files. SquidThis is only the applicable portion of the squid.conf file required for active directory authentication. In the event that a complete squid.conf file is necessary then take a look here. <code>/etc/squid/squid.conf # Active Directory configuration auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid Proxy Server auth_param basic credentialsttl 2 hours # Only allow authenticated users to use the proxy # Add these in the appropriate places in squid.conf acl authenticated_users proxy_auth REQUIRED ... http_access allow authenticated_users</code> SAMBA<code>/etc/samba/smb.conf [global] netbios name = proxyserver realm = DOMAIN.COM workgroup = DOMAIN security = ADS password server = dc01.domain.com dc02.domain.com dc03.domain.com socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 10000-20000 winbind enum users = yes winbind uid = 10000-20000 winbind gid = 10000-20000 winbind separator = + winbind use default domain = yes encrypt passwords = yes log level = 3 passdb:5 auth:10 winbind:5 </code> Kerberos<code>/etc/krb5.conf [libdefaults] ticket_lifetime = 600 default_realm = DOMAIN.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false [realms] DOMAIN.COM = { kdc = dc01.domain.com:88 kdc = dc02.domain.com:88 kdc = dc03.domain.com:88 admin_server = dc01.domain.com:749 default_domain = DOMAIN.COM } [domain_realm] .domain.com = dc01.domain.com domain.com = dc01.domain.com [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log </code> PAM<code>/etc/pam.d/samba auth required pam_nologin.so auth required pam_stack.so service=system-auth-winbind account required pam_stack.so service=system-auth-winbind session required pam_stack.so service=system-auth-winbind password required pam_stack.so service=system-auth-winbind /etc/pam.d/squid auth required /lib/security/pam_stack.so service=system-auth-winbind account required /lib/security/pam_stack.so service=system-auth-winbind /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so</code> Once all the aforementioned software has been configured as depicted the proxy server needs to be added to the Windows 2003 domain. This is necessary so that the proxy server can perform authentication in conjunction with a Windows 2003 active directory domain cont 美女头像性感美女图片打包下载

原文来自：野蔷薇 http://www.yeqiangwei.com/club/f10b0l0fp1t240148p1.html

原始连接：[url="http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/" target="_blank"]http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/[/url]

Proxy servers are fairly essential devices that should be part of a network’s perimeter defense strategy. They are devices that allow clients to indirectly access network services via a connection through them. In an enterprise environment, proxy servers are used to aid in enforcement of acceptable use and security policies.
There are a number of reasons for using a proxy server as part of securing a network but that is beyond the scope of this document.
The 10 Legged Creature.One of the premier proxy servers available today is Squid. It is the most popular HTTP proxy available today, mainly because it is offers a comprehensive set of features, is highly configurable all while being open source and free. It runs on just about any Linux distribution and scales better than any other application of its kind.
For the sake of this exercise, Squid is being deployed to an enterprise network to act in the capacity of a web proxy. By doing so, Squid will be an intermediary for all web browsing between network users and the destinations web sites they desire to browse. When a user requests to visit a site that request will go first to Squid, which will then establish a connection with the destination, transfer the data from the web site to its cache and then pass that data back to the requesting user.
In many instances Squid will even pass the data from its local cache back to the users, both saving time and precious bandwidth. Depending on which algorithm is selected when configuring Squid will determine how Squid decides whether or not to serve the local cache to a user or whether to fetch new data.
Mayday, Mayday!When I set out to install Squid so that it could perform active directory authentication I was unable to locate any single resource that could explain, in detail, the steps required in order to make this happen. What I did find, however, was a variety of instructions related to various aspects of the entire process. The sum of all the information that I discovered is contained in this document, which will hopefully serve as a means of helping someone else achieve the same goal I was aiming for.
The following are the instructions for installing Squid Proxy Server so that it performs Active Directory authentication off of a Windows 2003 domain controller. Squid is configured so that the browsers must explicitly point to it, which means that it is not being setup to function as a transparent proxy. This entire design was performed on a Dell 1650 running Gentoo Linux 2006.0.
Although the act of downloading, compiling and installing applications on a Gentoo box is slightly different than that of an RPM based distribution (like Red Hat) the same basic configuration directions are applicable. The key difference is Gentoo’s USE flag convention whereas the other distributions will force the use of compile time options (i.e. using “–with-winbind” when running configure, as an example).
The following software is necessary in order to make all of this work as planned.
[ul][li]Squid Proxy Server [/li][li]SAMBA [/li][li]OpenLDAP [/li][li]MIT Kerberos [/li][/ul]Installation of this software on Gentoo is rather easy however there is a USE flag caveat. In order to ensure that the software is compiled with the necessary options to make this all work properly specific Gentoo USE flags need to be set. This can be done on the command-line while emerging the software or by modifying the make.conf file. Whichever method is selected, the following USE flags need to be set:
<code>USE="kerberos ldap pam"</code>
Using the command-line, emerge the software as follows:
<code>USE="kerberos ldap pam" emerge squid samba openldap mit-krb5</code>
If make.conf was updated to reflect the necessary USE flags then do the following:
<code>emerge squid samba openldap mit-krb5</code>
Once emerge is done working the lovely magic it performs it will be time to modify the various configuration files.
SquidThis is only the applicable portion of the squid.conf file required for active directory authentication. In the event that a complete squid.conf file is necessary then take a look here.
<code>/etc/squid/squid.conf

# Active Directory configuration
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours

# Only allow authenticated users to use the proxy
# Add these in the appropriate places in squid.conf
acl authenticated_users proxy_auth REQUIRED
...
http_access allow authenticated_users</code>
SAMBA<code>/etc/samba/smb.conf

[global]
netbios name = proxyserver
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
password server = dc01.domain.com dc02.domain.com dc03.domain.com
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
</code>
Kerberos<code>/etc/krb5.conf

[libdefaults]
    ticket_lifetime = 600
    default_realm = DOMAIN.COM
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    DOMAIN.COM = {
        kdc = dc01.domain.com:88
        kdc = dc02.domain.com:88
        kdc = dc03.domain.com:88
        admin_server = dc01.domain.com:749
        default_domain = DOMAIN.COM
    }

[domain_realm]
    .domain.com = dc01.domain.com
    domain.com = dc01.domain.com

[kdc]
    profile = /etc/krb5kdc/kdc.conf

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
</code>
PAM<code>/etc/pam.d/samba

auth  required pam_nologin.so
auth  required pam_stack.so service=system-auth-winbind
account required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind

/etc/pam.d/squid

auth  required /lib/security/pam_stack.so service=system-auth-winbind
account required /lib/security/pam_stack.so service=system-auth-winbind

/etc/pam.d/system-auth

auth  required pam_env.so
auth  sufficient pam_unix.so likeauth nullok
auth  required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so</code>
Once all the aforementioned software has been configured as depicted the proxy server needs to be added to the Windows 2003 domain. This is necessary so that the proxy server can perform authentication in conjunction with a Windows 2003 active directory domain cont

注册

Installing Squid with Active Directory Authentication

Installing Squid with Active Directory Authentication