Hi
What you are trying to do is definitly possible.
Unfortunatelly I haven't compiled squid from source, but instead used
the prebuild debian package. Therefore I can't really help you with the
compilation-flags. However they seem to be reasonnable.
> I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right?
Yes. This has to be done. I have attached my krb5.conf to this mail, so
that you can compare.
> I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary
As far as I know, this is neccessary and I have done it for my setup.
Just do a net join -U administrator to make your machine a domain
member. However before that you need to change some lines
in /etc/samba/smb.conf. I have also attached the relevant lines to this
E-Mail, as I have them in my smb.conf
> How these specific AD users(with internet access allowed) will be told/mentioned to the squid?
They will be for example told by an ACL line using the wbinfo_group.pl
script. A prerequisit for this is, however that the people, which should
have squid access are all in a group in your aktive directory. (More
groups are also possible, as long as everyone in the groups should be
granted access). Squid will then query the aktive directory whether the
user (identified by his login+password) belongs to the group you defined
in your ACL. If so, squid will grant the request, otherwise squid will
deny it. I have attached the relevant part of the squid.conf to this
mail as a reference for you (the privileged group).
You will probably also have to change the nsswitch.conf. I have also
atached the relevant snipped of mine.
You can use this information as a starting point. Getting squid to work
with an active-directory can be quite tricky and you will probably
experience some problems along the way. However don`t hesitate to ask on
the list, as many of these problems can be debugged quite straigt
forward.
Here is an outline in which order you should try to get things working:
1) Modify the smb.conf nsswitch.sconf and krb5.conf
2) After restarting samba and winbind do net join -U adminstrator
3) Check whether everything is working via wbinfo -g und wbinfo -t
4) Modify the squid.conf
5) Restart squid and test things.
Hopefully this helps you a bit.
Greetings
Benedikt
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
/usr/lib/squid/wbinfo_group.plexternal_acl_type winbind_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl
acl lehrer external winbind_group_helper g_privileged_users
http_access allow g_privileged_users
http_access deny all
security = ADS
realm = muster.musterfirma.com
password server = *
dns proxy = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = true
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = muster.musterfirma.com
clockskew = 300
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
MY.REALM = {
kdc = muster.musterfirma.com
}
OTHER.REALM = {
v4_instance_convert = {
kerberos = kerberos
computer = computer.some.other.domain
}
}
[domain_realm]
.my.domain = muster.musterfirma.com
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Received on Sat Apr 03 2010 - 11:28:51 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 03 2010 - 12:00:02 MDT