#
## How-TO para autenticação de usuário do SQUID no Active Directory
##
## By, Sérgio Ferreira
##
## [EMAIL PROTECTED] - WGO Telecom
## [EMAIL PROTECTED] - Mitsubishi Motors
##
#
squid autenticando no AD via winbind.
Neste tipo de autenticação, não aparecerá a janela pedindo
usuário e senha se o usuário já estiver autenticado no AD.
*** preparar o ambiente -
Compilar o kernel do freebsd com essas opções :
# Recursos de memoria para o SQUID
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=64 # number of message queue identifiers
options MSGSEG=512 # number of message segments per queue
options MSGSSZ=64 # size of a message segment
options MSGTQL=2048 # max messages in system
options SHMSEG=16 # max shared mem id's per process
options SHMMNI=32 # max shared mem id's per system
options SHMMAX=2097152 # max shared memory segment size (bytes)
options SHMALL=4096 # max amount of shared memory (pages)
*** instalar o Samba
samba 3.0.x
./configure --with-winbind
configurar o samba - smb.conf
[global]
workgroup = _NOME_DOMINIO_ // nome NETBIOS
os level = 2
unix extensions = yes
map to guest = no
debug level = 1
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins server = 172.30.32.15
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
netbios name = PROXY01
security = domain
realm = MMCB.INTRANET
password server = 172.30.32.15, 172.30.32.95
encrypt passwords = yes
server string = proxycat - Samba Server
allow trusted domains = yes
winbind uid = 1-2
winbind gid = 1-2
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
winbind separator = \\
hosts allow = 172.30. 172.26. 172.28.
# This tells samba to write log files per machine.
log file = /var/log/samba/samba.log
# This sets an alternate log level. Default is 2.
log level = 3
max log size = 50
interfaces = 172.30.32.80/255.255.255.0
## Agora, tem que juntar o servidor ao dominio do AD
#/usr/local/samba/bin/net rpc join -S __NOME_DOMINIO__ -tmn -U
Administrator
password : ( forneça a senha do Administrador do AD )
Joined domain __NOME_DOMINIO__
Agora é iniciar o serviço do WinBind :
#/usr/local/samba/sbin/winbindd
## Se tudo estiver certo, poderá usar os comandos :
#wbinfo -t
checking the trust secret via RPC calls succeeded
#wbinfo -u
vai trazer a lista de usuários do AD
#wbinfo -g
vai trazer a lista de usuários de AD
*** Ok, agora vamos instalar o squid e configurá-lo :
proxycat1# squid -v
Squid Cache: Version 2.6.STABLE13
configure options: '--enable-dlmalloc'
'--enable-storeio=diskd ufs'
'--disable-ident-lookups'
'--enable-carp'
'--enable-removal-policies=heap lru'
'--enable-icmp'
'--enable-delay-pools'
'--with-openssl'
'--enable-forw-via-db'
'--enable-default-err-language=Portuguese'
'--enable-err-languages=Portuguese English Spanish'
'--enable-poll'
'--enable-leakfinder'
'--enable-underscores'
'--enable-auth=basic digest ntlm'
'--enable-basic-auth-helpers=PAM SMB NCSA LDAP'
'--enable-ntlm-auth-helpers=SMB no_check fakeauth'
'--enable-digest-auth-helpers=password'
'--with-samba-sources=/usr/programas/samba-3.0.20b'
'--enable-ntlm-fail-open'
'--enable-external-acl-helpers=ip_user unix_group
ldap_group wbinfo_group'
Agora o squid.conf :
## inicio do squid.conf ###
#debug_options all,1 33,3
visible_hostname cache.mmcb.com.br
http_port 3128
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
minimum_object_size 0 KB
maximum_object_size_in_memory 10 KB
cache_mem 48 MB
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir diskd /usr/local/squid/var/cache 15245 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/squid.out
cache_store_log none
mime_table /usr/local/squid/etc/mime.conf
pid_filename /var/run/squid.pid
ftp_passive on
ftp_sanitycheck on
hosts_file /etc/hosts
auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Autenticacao de