RSS
 

CentOS 5.2 + squid + sams + ntlm + AD

08 Янв

linux_small

Задача: достув в инет около 400 пользователей домена Windows Server 2003 с AD-авторизацией
PDC:b
IP: 192.168.100.1 OS: Windows Server 2003 Server name: winserver.firma.local AD: FIRMA.LOCAL
IP шлюза: 192.168.100.220 OS: CentOS 5.2
Решение: использование прокси Squid, администрирование пользователей с помощью SAMS с авторизацией по доменным аккаунтам пользователей.



Пакеты, необходимые для работы с авторизацией в AD:

SQUID
cat /var/log/rpmpkgs | grep squid
squid-2.6.STABLE6-5.el5_1.3.i386.rpm

MySQL-server
MySQL-client
mysql-devel — файлы заголовков для mysql
php-mysql — библиотека поддержки mysql в php
cat /var/log/rpmpkgs | grep mysql
libdbi-dbd-mysql-0.8.1a-1.2.2.i386.rpm
mod_auth_mysql-3.0.0-3.1.i386.rpm
mysql-5.0.45-7.el5.i386.rpm
mysql-connector-odbc-3.51.12-2.2.i386.rpm
mysql-devel-5.0.45-7.el5.i386.rpm
mysql-server-5.0.45-7.el5.i386.rpm
php-mysql-5.1.6-20.el5.i386.rpm

apache
cat /var/log/rpmpkgs | grep httpd
httpd-2.2.3-11.el5_1.centos.3.i386.rpm
httpd-manual-2.2.3-11.el5_1.centos.3.i386.rpm
system-config-httpd-1.3.3.3-1.el5.noarch.rpm

mod_php (модуль php для apache)
php — консольный php
php-ldap — библиотека поддержки ldap в php

cat /var/log/rpmpkgs | grep php
php-5.1.6-20.el5.i386.rpm
php-cli-5.1.6-20.el5.i386.rpm
php-common-5.1.6-20.el5.i386.rpm
php-ldap-5.1.6-20.el5.i386.rpm
php-mbstring-5.1.6-20.el5.i386.rpm
php-mysql-5.1.6-20.el5.i386.rpm
php-pdo-5.1.6-20.el5.i386.rpm

php-gd — модуль поддержки libgd в php (используется для рисования графиков)
yum install php-gd

libgd — библиотека поддержки графики
yum install gd-devel

libpcre -библиотека
libpcre-devel -файлы заголовков libpcre

yum install pcre*
pcre-devel

Настройка samba

 

#rpm -q samba
samba-3.0.33-3.15.el5_4

#cat /etc/samba/smb.conf

[global]

workgroup = FIRMA
server string = sams
security = ADS
hosts allow = 192.168.100. 127.
bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
password server = winserver.firma.local
encrypt passwords = true
realm = FIRMA.LOCAL
auth methods = trustdomain
winbind use default domain = yes
dns proxy = no
os level = 0
preferred master = no
wins proxy = no
unix charset = UTF-8
dos charset = cp866
display charset = UTF-8
winbind separator = +
winbind use default domain = yes
winbind uid = 10000-15000
winbind gid = 10000-15000
winbind enum users = yes
winbind enum groups = yes

 

#service smb start

 

Правим файл /etc/hosts

127.0.0.1 centos52.firma.local centos52 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.100.1 winserver.firma.local winserver

Правим файл /etc/resolv.conf

cat /etc/resolv.conf
search firma.local
nameserver 192.168.100.1
nameserver 192.168.100.220

Настраиваем Керберос

#yum install krb5-libs

#cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FIRMA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
FIRMA.LOCAL = {
kdc = winserver.firma.local
admin_server = winserver.firma.local
default_domain = firma.local
}

[domain_realm]
.firma.local = FIRMA.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Правим файл /etc/nsswitch.conf

cat /etc/nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the «db» in front of «files» for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files winbind
shadow: files
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns

# Example — obey only what nisplus tells us…
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

Получаем билет

#kinit -p administrator
administrator@FIRMA.LOCAL’s Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

Если вам отвечает kinit: krb5_get_init_creds: unable to reach any KDC in realm FIRMA.LOCAL
То косяк в конфиге /etc/krb5.conf или с временем date, оно не должно разниться сервером 2003

Проверяем получили мы ticket

#klist

Подключаемся к ДОМЕНУ

#net ads join -U administrator
administrator’s password:
Using short domain name — FIRMA
Joined ‘CENTOS52’ to realm ‘FIRMA.LOCAL’
#service winbind start

#service winbind status

Проверка работы winbind

#wbinfo -t

#wbinfo -p

Проверяем видит ли Samba группы, пользователей домена

#wbinfo -u

#wbinfo -g

#id iivanov
uid=10001(iivanov) gid=10004(пользователи домена) группы=10004(пользователи домена),10006(internet),10001(BUILTIN+users)

Запуск mysql

#service mysqld start
Инициализируется база данных MySQL: Installing MySQL system tables…
OK
Filling help tables…
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h centos52.block.lg.ua password ‘new-password’
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

#/usr/bin/mysqladmin -u root password ‘new-password’
#/usr/bin/mysqladmin -u root -h centos52.firma.local password ‘new-password’

Настройка Apache

Добавить в /etc/httpd/conf/httpd.conf

Для работы squirrelmail с safe mode php =on

<Directory /usr/share/squirrelmail>
php_admin_flag safe_mode off
</Directory>

<Directory /var/lib/squirrelmail>
php_admin_flag safe_mode off
</Directory>

#service httpd start

Установка SAMS

#wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/PavelVinogradov:/SAMS/CentOS_5/i386/sams-1.0.4-60.1.i386.rpm

Настройка php для sams

#vi /etc/php.ini
safe mode = on
afe_mode_exec_dir = «/usr/share/sams/bin»
extensions=mysql.so

Настройка mysql for sams

Для удобства администрирования mysql используем phpMyAdmin:
#wget http://ignum.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/2.11.9.6/phpMyAdmin-2.11.9.6-english.tar.gz
развернуть в /var/www/html/phpmyadmin (путь к данным web-сервера)
зайти на http://192.168.100.220/phpmyadmin (без пароля у root если не изменен)
Дать grant для sams на его бызы
изменить пароль для пользователя sams
прописать пароль для пользователя sams в /etc/sams.conf

Настройка squid

# WELCOME TO SQUID 2.6.STABLE6
# —————————-
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don’t need to change the
# default, you shouldn’t uncomment the line. Doing so may cause
# run-time problems. In some cases «none» refers to no default
# setting at all, while in other cases it refers to a valid
# option — the comments for that keyword indicate if this is the
# case.
#
….

#Default:
http_access deny all

# for sams
#Recommended minimum configuration per scheme:

auth_param ntlm program /usr/bin/ntlm_auth —helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth —helper-protocol=squid-2.5-basic
auth_param basic children 10
##auth_param basic realm Squid Proxy-Server
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#service squid start

Настройка Sams 1.0.4

#cat /etc/sams.conf
[client]
SQUID_DB=squidlog
SAMS_DB=squidctrl
MYSQLHOSTNAME=localhost
MYSQLUSER=sams
MYSQLPASSWORD=samspass
MYSQLVERSION=4.0
SQUIDCACHEFILE=access.log
SQUIDROOTDIR=/etc/squid
SQUIDLOGDIR=/var/log/squid
SQUIDCACHEDIR=/var/spool/squid
SAMSPATH=/usr
SQUIDPATH=/usr/sbin
SQUIDGUARDLOGPATH=/var/log
SQUIDGUARDDBPATH=/var/db/squidguard
RECODECOMMAND=iconv -f KOI8-R -t 866 %finp > %fout
LDAPSERVER=192.168.100.1
LDAPBASEDN=firma.local
LDAPUSER=administrator
LDAPUSERPASSWD=adminpass
LDAPUSERSGROUP=Users
REJIKPATH=/usr/local/rejik
SHUTDOWNCOMMAND=shutdown -h now
CACHENUM=0

#service sams start

http://192.168.100.220/sams/

 
Комментарии к записи CentOS 5.2 + squid + sams + ntlm + AD отключены

Рубрика: Centos, Red Hat, Routing, Squid, Без рубрики

 

Comments are closed.