As a follow up, I may have missed one fine detail, so here is a correction. To make all this work you will also need to configure PAM to work with Winbind for Authentication. Sorry for missing this step. Do'h!
You will need to add the following to your /etc/pam.d/login file. Mine looks exactly like this: #%PAM-1.0 # #Winbind config auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so I'm pretty sure that's it this time..... :-) -----Original Message----- From: newsgroupie [mailto:[EMAIL PROTECTED] Sent: Thursday, 9 September 2004 2:23 PM To: [EMAIL PROTECTED] Subject: [squid-users] Integate squid and linux with Win 2003 AD in 10 steps Hi, I hope this post can be the be all and end all for those needing to use true "STABLE" squid code suitable for production use. Because I see this kind of question on lists so often so I would like to offer my assistance. The following is a known good and very heavily tested solution I have had working for about 2 years that has never missed a beat with over 400 users. This solution will work in Win2000k AD, Win2003 AD in either non native or native modes. (Also even NT4 too) My instructions assume Red hat 7.3 and a reasonable bit of Linux/squid knowledge. I apologize if this documentation is not perfect but for those out there with more than a clue you should be able to follow this guide and fill in any small blanks I may have missed. For the many the most helpful bits might be are the extras you must add to both the squid.conf and Samba.conf files to make it all come together. Of course you will have to adjust these where appropriate for your distro. ************************************************************************ **** STEP ONE Copy Samba 2.2.8a source tarball to /usr/src/redhat/SOURCES STEP TWO Compile the squid 2.5 Stable 3 Source with the following options the squid.spec file. This will configure and build Squid to include the winbind helpers from Samba into itself. --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \ --localstatedir=/var --sysconfdir=/etc/squid \ --enable-poll --enable-snmp --enable-removal-policies="heap,lru" \ --enable-storeio="aufs,coss,diskd,ufs" --enable-ssl \ --with-openssl=/usr/kerberos \ --enable-delay-pools --enable-linux-netfilter \ --with-pthreads \ --with-samba-source=/usr/src/redhat/SOURCES \ --enable-auth="ntlm,basic" \ --enable-basic-auth-helpers="winbind,LDAP,NCSA,PAM,SMB,SASL,MSNT" \ --enable-ntlm-auth-helpers="SMB,winbind" \ --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou p,winbind_group" \ STEP THREE Build SAMBA 2.2.8a from Source RPM using the following entries in spec file. This will configure Samba in a fairly generic Red Hat way but will also include the Winbind helpers and the LDAP hack required to allow Samba to talk to 2000/2003 Native mode AD --prefix=%{prefix} \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba \ --with-codepagedir=/etc/codepages \ --with-fhs \ --with-quotas \ --with-msdfs \ --with-smbmount \ --with-pam \ --with-winbind \ --with-winbind-auth-challenge \ --with-winbind-ldap-hack \ --with-pam-winbind \ --with-pam_smbpass \ --with-syslog \ --with-utmp \ --with-sambabook=%{prefix}/share/swat/using_samba \ --with-swatdir=%{prefix}/share/swat \ --with-libsmbclient STEP FOUR Install Both the Squid and Samba RPM binaries STEP FIVE Change the following lines in your /etc/nnswitch.conf file to: passwd: files winbind shadow: files group: files winbind STEP SIX Configure at least the following lies in your Samba.conf [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = YOUR-NETBIOS-DOMAIN-NAME # server string is the equivalent of the NT Description field server string = Linux Proxy Server # separate domain and username with '+', like DOMAIN+username winbind separator = \\ # use uids from 10000 to 20000 for domain users winbind uid = 10000-20000 # use gids from 10000 to 20000 for domain groups winbind gid = 10000-20000 # allow enumeration of winbind users and groups # might need to disable these next two for performance # reasons on the winbindd host winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet/sshd/etc... access) #template homedir = /home/winnt/%D/%U template homedir = /home/winnt template shell = /bin/bash netbios name = PROXY winbind use default domain = yes security = domain local master = no os level = 20 domain master = no preferred master = no wins server = your.wins.ser.ver Configure Squid with at least the following extras in Squid.conf. You may need to slightly modif where required. acl Authorized_Users external wb_group WebUsers acl No_Auth_Required_IPs src 172.1.1.1-172.1.1.255/255.255.255.255 auth_param basic children 5 auth_param basic credentialsttl 2 hour auth_param basic program /usr/lib/squid/wb_auth auth_param basic realm Web Cache auth_param ntlm children 5 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm max_challenge_reuses 0 auth_param ntlm program /usr/lib/squid/wb_ntlmauth external_acl_type wb_group %LOGIN /usr/lib/squid/wb_group http_access allow Authorized_Users http_access allow No_Auth_Required_IPs STEP SEVEN If using Windows 2000 AD in native mode only, else skip this step: net localgroup "Pre-Windows 2000 Compatible Access" everyone /add reboot Windows 2003 (only if in Native mode, else skip) 1. Ensure the DC admin passwd has been changed at least once since promo. 2. Ensure all forward and reverse DNS is funtioning correctly 3a. change domain controller sec pol: Microsoft Network Server: Digitally Sign Communications (Always) Enabled to DISABLED 3b. change default domain AND Default DOMAIN CONTROLLER sec pol: Network Security: Lan Manager Authentication Level (not configured) to Send LM & NTLM - User NTLMv2 If Negotiated Reboot STEP EIGHT Join Samba to domain. Smbpasswd -j [domainname] -r [PDC-EMULATOR-ROLE-DC] -U [useraccount] STEP NINE Reboot linux, or restart Xinetd - I like to make a clean start after a domain join. Make sure that Samba, Squid and Winbind are set to start on boot. STEP TEN TEST!!! The Following commands from a linux shell should help you confirm that all is working ok. The rest is up to you to debug any faults if any in your config. wbinfo -u (will return a list of all domain users if working correctly Wbinfo -t (checks local trust relationship - should return "Secret Is Good" when all working ok wbinfo -a user%pass (will test plain text auth for Squid - should return an OK if user is in "WebUsers" group configured in Squid.conf Other useful test commands are: getent group getent passwd Also, under /usr/lib/squid you can try testing manually the auth executables from a shell prompt if you are having isses. See tha FAQs for other diagnostic commands If all is followed correctly you should now be able to add users to the WebUsers global domain group and after a squid -k reload new users should now be allowed to access the proxy. You must reload for squid to see changes to this group! Logging will track access via domain username too. I really hope this helps many of you out there. Regards, Dave H
