Squid et Active Directory
Bonjour,
Je viens d'installer squid3 sur une machine Debian. je souhaite que les utilisateurs est accès à internet que s'ils sont authentifié depuis l'annuaire active directory de mon serveur windows 2003.
J'ai donc utilisé KERBEROS 5 pour intégrer mon linux sur le domaine. Voici /etc/krb5.conf
[libdefaults]
default_realm = AXIANS.CENTRE
clock_skew = 300
ticket_lifetime = 24000
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AXIANS.CENTRE = {
kdc = srvlemans
admin_server = srvlemans
default_domain = AXIANS.CENTRE
}
[domain_realm]
.axians.centre = AXIANS.CENTRE
axians.centre = AXIANS.CENTRE
J'obtiens bien mes tickets avec la commande kinit.
J'ai ensutie installé SAMBA. Voici /etc/samba/smb.conf
[global]
workgroup = AXIANS
netbios name = proxy-squid
realm = AXIANS.CENTRE
security = ADS
encrypt passwords = yes
password server = 10.166.200.100
client use spnego = yes
client ntlmv2 auth = yes
syslog = 1
log file = /var/log/samba/log.%m
max log size = 1000
announce version = 4
announce as = NT Workstation
dns proxy = No
idmap uid = 167771-335549
idmap gid = 167771-335549
winbind use default domain = Yes
invalid users = root
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
[SAMBA]
path=/SAMBA
browseable=yes
writeable=yes
valid users=AXIANS\cjavelle
admin users=AXIANS\administrator
Puis ensuite installé winbind. Voici /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Enfin voici la configuration de mon squid /etc/squid3/squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
acl manager proto cache_object
acl LocalNet src 10.166.200.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow LocalNet password
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
coredump_dir /var/spool/squid3
Tout les tests sur la machine linux fonctionne mais lorsque j'essai de m'authentifier (depuis une machine du domain ou non) je n'ai aucun résultat.
Quelqu'un voit il ce qui ne va pas dans ma configuration ???
Merci d'avance de votre aide
Charlie
Répondre avec citation
Partager