Muchas Gracias por loo how to que me mandaste.
Saludos.
----- Original Message -----
From: "Mauricio López" <[email protected]>
To: "Soporte técnico para Software Libre y GNU/Linux."
<[email protected]>
Sent: Thursday, April 23, 2009 12:23 PM
Subject: Re: [linux-l] Squid + dominio Windows.
> Ahi van un par de howto, espero te sirvan de algo
>
> Autentificacion de Squid contra Active Directory PDF Imprimir
> E-Mail
> Origen: Pablo Sarubbi - Efraim Wainerman
> martes, 06 de marzo de 2007
> En este articulo veremos una de las formas de instalar y configurar
> Squid para que autentique contra un servidor Windows 2003 con Active
> Directory.
>
> Para ello elegimos la version Etch de Debian. Una vez instalada y
> actualizada procedemos a instalar el software complementario.
> Mediante el uso del queridisimo comando apt-get install:
>
> * squid
> * squid-common
> * samba-common
> * libsmbclient
> * smbclient
> * libkrb53
> * krb5-kdc
> * krb5-config
> * krb5-user
> * winbind
>
> Despues de asegurarnos que todos estos paquetes quedaron instalados
> tenemos que tocar un par de archivos de configuracion:
>
> /etc/squid/squid.conf
> # Active Directory configuration
> auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid Proxy Server
> auth_param basic credentialsttl 2 hours
> # Solo permitir usar el proxy a los usuarios autenticados
> acl authenticated_users proxy_auth REQUIRED
> ...
> http_access allow authenticated_users
>
> /etc/samba/smb.conf
> [global]
> netbios name = proxyserver
> realm = DOMAIN.COM
> workgroup = DOMAIN
> security = ADS
> password server = dc01.domain.com dc02.domain.com dc03.domain.com
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> idmap uid = 10000-20000
> winbind enum users = yes
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind separator = +
> winbind use default domain = yes
> encrypt passwords = yes
> log level = 3 passdb:5 auth:10 winbind:5
>
> /etc/krb5.conf
> [libdefaults]
> ticket_lifetime = 600
> default_realm = DOMAIN.COM
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> dns_lookup_realm = false
> dns_lookup_kdc = false
> [realms]
> DOMAIN.COM = {
> kdc = dc01.domain.com:88
> kdc = dc02.domain.com:88
> kdc = dc03.domain.com:88
> admin_server = dc01.domain.com:749
> default_domain = DOMAIN.COM
> }
> [domain_realm]
> .domain.com = dc01.domain.com
> domain.com = dc01.domain.com
>
> [kdc]
> profile = /etc/krb5kdc/kdc.conf
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> /etc/pam.d/samba
>
> auth required pam_nologin.so
> auth required pam_stack.so service=system-auth-winbind
> account required pam_stack.so service=system-auth-winbind
> session required pam_stack.so service=system-auth-winbind
> password required pam_stack.so service=system-auth-winbind
>
> /etc/pam.d/squid
> auth required /lib/security/pam_stack.so service=system-auth-winbind
> account required /lib/security/pam_stack.so service=system-auth-winbind
>
> /etc/pam.d/system-auth
>
> auth required pam_env.so
> auth sufficient pam_unix.so likeauth nullok
> auth required pam_deny.so
> account required pam_unix.so
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
> retry=3
> password sufficient pam_unix.so nullok md5 shadow use_authtok
> password required pam_deny.so
> session required pam_limits.so
> session required pam_unix.so
>
> Luego, y esto es muy importante, con un usuario de administrador de la
> red, ejecutamos:
> net ads join Servers/Linux -U AdminAcct -S dc01.domain.com
>
> En teoria esto seria todo.
> Suerte
> Links:
> 1. http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#winbind
> 2. http://info.ccone.at/INFO/Samba-2.2.12/winbindd.8.html
> 3. http://acd.ucar.edu/~fredrick/linux/samba3/
> 4.
> http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
>
>
> Nota 1:
> root# wbinfo -u --> para listar todos los usuarios de la red
> root# wbinfo -g --> para listar todos los grupos de la red
> root# getent passwd --> muestra los datos completos de cada usuario
> root# getent group --> muestra los datos completos de cada grupo
>
>
> Configuring Squid on Linux to authenticate with Active Directory
> Introduction
>
> PaperCut Internet Charging and Quotas requires a proxy server to
> manage Internet connectivity and log internet usage by your users. If
> you would like to use Squid on Linux/Unix as your proxy with PaperCut,
> then your Squid proxy needs to be configured to authenticate users
> with Windows. This allows Squid to log usernames in the Squid access
> logs and allows only users with remaining Internet Quota access to the
> Internet. (If you would prefer to run Squid on Windows, then read our
> article Installing and configuring SquidNT. Setting up the
> authentication with the windows domain is considerably simpler than
> configuring LDAP on Linux/Unix)
>
> This document describes how to configure Squid to authenticate with a
> Windows Active Directory and only allow Internet Access to users that
> are members of a particular Windows security/domain group.
>
> Microsoft Active Directory is an LDAP v3 compliant directory and
> therefore can be used as a mechanism to authenticate users. Squid
> supports LDAP v3 and an authentication method. You can achieve similar
> results by using Samba and Winbind, however that process is much more
> involved and requires the Squid server machine to become a member of
> the domain.
>
> Using the Squid LDAP authentication helpers, you can achieve Active
> Directory user authentication with some simple Squid configuration.
> There is no need to implement full Samba Winbind integration.
>
> You will require Squid 2.5 or greater (with LDAP helpers). Some
> information on these modules can be found here:
>
> * http://www.die.net/doc/linux/man/man8/squid_ldap_auth.8.html
> * http://www.die.net/doc/linux/man/man8/squid_ldap_group.8.html
>
> If your Squid installation has LDAP support compiled in, you will find
> 2 files in "/usr/lib/squid/" (or you equivalent location where Squid
> is installed)
>
> * ldap_auth (or sometime named squid_ldap_auth)
> * squid_ldap_group
>
> These files perform LDAP authentication and group membership checks
> against and LDAP server of your choice. E.g. Active Directory on
> Windows, or OpenLDAP (or other LDAP server on) Novell, Linux, Solaris,
> etc.
> Configuring Squid LDAP Authentication
>
> The first step is to configure Squid to authenticate
> usernames/passwords with the Active Directory. You will need to open
> your Squid configuration file (squid.conf) and make the following
> changes:
>
> Find the auth param section of the config file (TAG: auth_param), and
> change the auth param basic program line to look like this. (Indented
> text indicates one line)
>
> auth_param basic program /usr/lib/squid/ldap_auth -R
> -b "dc=vm-domain,dc=papercut,dc=com"
> -D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
> -w "password" -f sAMAccountName=%s -h 192.168.1.75
> auth_param basic children 5
> auth_param basic realm Your Organisation Name
> auth_param basic credentialsttl 5 minutes
>
> These settings tell Squid authenticate names/passwords in the Active
> Directory.
>
> * The -b option indicated the LDAP base distinguished name of your
> domain. E.g. your.domain.com would be dc=your,dc=domain,dc=com
> * The –D option indicates the user that is used to perform the
> LDAP query. (e.g an Administrator. This example uses the built-in
> Administrator user, however you can use another user of your choice.
> * The –w option is the password for the user specified in the –D
> option. For better security you can store the password in a file and
> use the –W /path/to/password_file syntax instead
> * -h is used to indicate the LDAP server to connect to. E.g. your
> domain controller.
> * -R is needed to make Squid authenticate against Windows AD
> * The –f option is the LDAP query used to lookup the user. In the
> above example, sAMAccountName=%s, will match if the user’s Windows
> logon name matches the username entered when prompted by Squid. You
> can search any value in the LDAP filter query. You may need to use an
> LDAP search query tool to help get the syntax correct for the –f
> search filter.
> * The %s is replaced with what the user enters as their username.
>
> Remember to restart Squid to make these changes to come into effect.
> Configuring Group Based Internet Access
>
> Once the user has authenticated, you can define which users have
> access to network resources (i.e. the internet) using Squid access
> control lists (ACLs). Squid ACLs are a complex topic and allow very
> sophisticated control. This document only describes the basic
> configuration required to allow Active Directory / LDAP group checking
> - a requirement for PaperCut to deny/allow internet access. For
> further information on ACL syntax and configuration see the Squid
> documentation and FAQ.
>
> In the Squid configuration file, find the external ACL section (TAG:
> external_acl_type) and specify the following external ACL (Inetgroup
> is arbitrary, make this anything appropriate). Note that this is all
> on one line.
>
> external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R
> -b "dc=vm-domain,dc=papercut,dc=com"
> -D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
> -w "password"
> -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=your,dc=domain,dc=com))"
> -h 192.168.1.75
>
> Most of this is similar to the LDAP authentication section above. The
> variable %v relates to the username and %a is the group given in the
> ACL (below). Ensure that the "memberof" filter is adjusted to where
> your LDAP internet group is defined. E.g. If you have an
> organizational unit call "you.domain.com/students", and this contains
> a group called "InternetAccessGroup", then the "memberof" part of the
> filter should be: memberof=cn=%a,ou=students,dc=your,dc=domain,dc=com
>
> Then enter the values below in the ACL area (Tag: acl) of squid.conf,
> modifying your internal subnet as appropriate.
>
> acl localnet proxy_auth REQUIRED src 192.168.1.0/24
>
> acl InetAccess external InetGroup InternetAccessGroup
>
> The ACL names are InetAccess, they are arbitrary and can be changed to
> suit your environment. InetGroup is the the External ACL name created
> above. The Active Directory groups that allow internet access is
> InternetAccessGroup. This is the name of the matching group in the
> Active Directory.
>
> Now that you have completed the ACL you can reference them in the
> http_access area of Squid.conf:
>
> http_access allow InetAccess
>
> You will need to restart Squid for these changes to come into effect.
>
> You should then be able to try to access the Internet using Squid, and
> should be prompted for your Windows username and password. Only
> authenticated users AND users belonging to the "InternetAccessGroup"
> will be allowed access to the internet. This test by manually adding
> and removing users from the group using the Active Directory user
> management tools. The users should be granted/denied access depending
> on their AD group membership.
>
> NOTE: If you have the need to deny Internet access for members of
> another Windows security group, you can set up a "InternetDenyGroup"
> the same way as above and then define an InetDeny ACL. You can then
> specify a http_access deny rule as follows:
>
> http_access deny InetDeny
>
> Acknowledgments
>
> Thanks to Ryan Brinch (Network Administrator, Linwood College, New
> Zealand) for his assistance helping PaperCut Software write this
> guide. Ryan would also like to thank Stephen Fergusson, for helping in
> the reviewing and checking this document.
>
> If you'd like to know more about our print management and print
> accounting program please visit our home page.
>
> keywords: squid, LDAP, linux proxy, papercut squid intergration, proxy
> net quotas
>
> Categories: ProxyServers
>
>
> On 4/16/09, katy <[email protected]> wrote:
>> Saludos:
>>
>> Alguien sabe cómo se pudiera lograr que el squid autentifique con los
>> mismos usuarios de dominio de W. Estuve leyendo una documentación que me
>> dieron y dice que puede ser posible pero no dice nada más, es un
>> documento de 1999 y no tengo internet ó a quien acudir para poder
>> obtener documentación sobre esto. Por favor si alguien sabe algo de esto
>> me sería de gran ayuda.
>>
>> Muchas Gracias.
>>
>>
>> _______________________________________________
>> Cancelar suscripción
>> https://listas.softwarelibre.cu/mailman/listinfo/linux-l
>> Buscar en el archivo
>> http://listas.softwarelibre.cu/buscar/linux-l
>>
>
>
> --
> ----
> Mauricio López
> Linux User: 373384
>
> " ...ich hab euch etwas mitgebracht
> ein heller Schein am Firmament
> Mein Herz brennt"
> _______________________________________________
> Cancelar suscripción
> https://listas.softwarelibre.cu/mailman/listinfo/linux-l
> Buscar en el archivo
> http://listas.softwarelibre.cu/buscar/linux-l
>
_______________________________________________
Cancelar suscripción
https://listas.softwarelibre.cu/mailman/listinfo/linux-l
Buscar en el archivo
http://listas.softwarelibre.cu/buscar/linux-l
