Search squid archive

Re: SSO with Active Directory-Squid Clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

What you are trying to do is definitly possible. 

Unfortunatelly I haven't compiled squid from source, but instead used
the prebuild debian package. Therefore I can't really help you with the
compilation-flags. However they seem to be reasonnable.

> I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right?

Yes. This has to be done. I have attached my krb5.conf to this mail, so
that you can compare. 

> I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary

As far as I know, this is neccessary and I have done it for my setup.
Just do a net join -U administrator to make your machine a domain
member. However before that you need to change some lines
in /etc/samba/smb.conf. I have also attached the relevant lines to this
E-Mail, as I have them in my smb.conf

> How these specific AD users(with internet access allowed) will be told/mentioned to the squid?

They will be for example told by an ACL line using the wbinfo_group.pl
script. A prerequisit for this is, however that the people, which should
have squid access are all in a group in your aktive directory. (More
groups are also possible, as long as everyone in the groups should be
granted access). Squid will then query the aktive directory whether the
user (identified by his login+password) belongs to the group you defined
in your ACL. If so, squid will grant the request, otherwise squid will
deny it. I have attached the relevant part of the squid.conf to this
mail as a reference for you (the privileged group).

You will probably also have to change the nsswitch.conf. I have also
atached the relevant snipped of mine.

You can use this information as a starting point. Getting squid to work
with an active-directory can be quite tricky and you will probably
experience some problems along the way. However don`t hesitate to ask on
the list, as many of these problems can be debugged quite straigt
forward.

Here is an outline in which order you should try to get things working:

1) Modify the smb.conf nsswitch.sconf and krb5.conf
2) After restarting samba and winbind do net join -U adminstrator
3) Check whether everything is working via wbinfo -g und wbinfo -t
4) Modify the squid.conf
5) Restart squid and test things.

Hopefully this helps you a bit.

Greetings

Benedikt 
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
/usr/lib/squid/wbinfo_group.plexternal_acl_type winbind_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl
acl lehrer external winbind_group_helper g_privileged_users
http_access allow g_privileged_users
http_access deny all
   security = ADS
   realm = muster.musterfirma.com
   password server = *
   dns proxy  = yes
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = +
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   encrypt passwords = true
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/ksadmind.log


[libdefaults]
        default_realm = muster.musterfirma.com
        clockskew = 300
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }

[realms]
        MY.REALM = {
                kdc = muster.musterfirma.com
        }
        OTHER.REALM = {
                v4_instance_convert = {
                        kerberos = kerberos
                        computer = computer.some.other.domain
                }
        }
[domain_realm]
        .my.domain = muster.musterfirma.com

[appdefaults]
   pam = {
           debug = false
           ticket_lifetime = 36000
           renew_lifetime = 36000
           forwardable = true
           krb4_convert = false
   }


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux