2010/6/18 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Murilo Moreira de Oliveira wrote: >> >> Hi Amos. >> >> Stop what? I've understood stop doing only step 4, right? Any way, I > > Yes. > >> was following >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5 >> article and I didn't find wbpriv group on my CentOS 5.4 box (Yeah, >> authconfig, krb5-workstation and samba-common are installed!). To >> finish, I've used another CentOS 5.4 machine and installed from >> scratch authconfig, krb5-workstation and samba-common and guess, >> /var/cache/samba/winbindd_privileged directory was created with 750 >> root:squid rights! >> >> I wonder, should I create wbpriv group, assign squid user to it and >> make root:wbpriv the owner of /var/cache/samba/winbindd_privileged >> directory in order to make my environment more secure? Any help with >> this will be very appreciated. > > Well, if its done by the packaging for you then okay it should be workable, > even if not nicely. I'd go with the package defaults first and see if it > goes before changing anything there. My squid always worked this way, nicely or not :). I've presented my steps to help Edouard Zorrilla. Any way, I think I'll follow Joseph Casale tips and upgrade CentOS to version 5.5 and reconfigure authconfig, krb5-workstation and samba-common in order to make my squid installation reflects the http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5 article. > > Amos > >> >> 2010/6/16 Amos Jeffries <squid3@xxxxxxxxxxxxx> >>> >>> Murilo Moreira de Oliveira wrote: >>>> >>>> Hello. Follow bellow the steps I've used to get NTLM authentication >>>> working. >>>> >>>> 1.# yum -y install authconfig krb5-workstation samba-common >>>> >>>> 2.[root@proxyweb ~]# authconfig --enableshadow --enablemd5 >>>> --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN >>>> --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN >>>> --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth >>>> --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN >>>> --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" >>>> --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain >>>> --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins >>>> --disablecache --enablelocauthorize --updateall >>>> >>>> 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD >>>> This is the user that proxy will use to validate users credentials. >>>> >>>> 4.# chown root:squid /var/cache/samba/winbindd_privileged >>>> >>> Noooooooo! Ouch. >>> >>> This is a giant permissions hack to evade the strict security leash of >>> cache_effective_group. >>> >>> The correct way to do this is to add the Squid proxy user to the system >>> group which wbinfo normally lets access /var/cache/samba/winbindd_privileged >>> >>> ... and ensure cache_effective_group is MISSING from squid.conf. >>> >>> The result is that Squid acts like a proper low-privileged user account >>> on the system. Same as any other user account with multiple groups. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE9 or 3.1.4 > > > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.4 >
