Murilo Moreira de Oliveira wrote:
Hello. Follow bellow the steps I've used to get NTLM authentication working.
1.# yum -y install authconfig krb5-workstation samba-common
2.[root@proxyweb ~]# authconfig --enableshadow --enablemd5
--passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
--krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
--smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
--smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
--disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins
--disablecache --enablelocauthorize --updateall
3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
This is the user that proxy will use to validate users credentials.
4.# chown root:squid /var/cache/samba/winbindd_privileged
Noooooooo! Ouch.
This is a giant permissions hack to evade the strict security leash of
cache_effective_group.
The correct way to do this is to add the Squid proxy user to the system
group which wbinfo normally lets access /var/cache/samba/winbindd_privileged
... and ensure cache_effective_group is MISSING from squid.conf.
The result is that Squid acts like a proper low-privileged user account
on the system. Same as any other user account with multiple groups.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
