# ./configure
--prefix=/usr --localstatedir=/var --with-configdir=/etc/samba --with-privatedir=/etc/samba --with-fhs --with-quotas --with-msdfs --with-smbmount --with-ads --with-pam --with-pam_smbpass --with-syslog --with-utmp --with-sambabook=/usr/share/swat/using_samba --with-swatdir=/usr/share/swat --with-libsmbclient --with-winbind --with-winbind-auth-challenge # make # make install |
--with-pam --with-pam_smbpass --with-winbind --with-winbind-auth-challenge |
Copy packaging/RedHat/smb.init
to /etc/init.d/smb Copy packaging/RedHat/winbind.init to /etc/init.d/winbind Add to your run levels so they will start at boot time |
security
=
ads
<---------- Pass authentication to Active directory password server = YourDomainC [AnotherPDC] encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind separator = realm = EXAMPLE.CO.ZA winbind use default domain = yes template shell = /bin/bash template homedir = /home/%D/%U |
#cp /etc/krb5.conf
/etc/krb5.conf.orig #vi /etc/krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = EXAMPLE.CO.ZA dns_lookup_realm = yes dns_lookup_kdc = yes [realms] EXAMPLE.CO.ZA = { kdc = yourdomaincontroller.example.co.za } |
Passwd: files
winbind group: files winbind hosts: files winbind dns |
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 |
#ldconfig |
# chmod 750
/var/lib/samba/winbind_privileged # chgrp squid /var/lib/samba/winbind_privileged |
# ls -al
/var/lib/samba/winbind_privileged srwxrwxrwx 1 root root 0 Jan 14 21:15 pipe |
# net ads join -U
administrator - administrator is the administrator account of your windows 2000 domain |
#vi
/etc/pam.d/system-auth-winbind #%PAM-1.0 auth required /lib/security/pam_env.so auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass shadow auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so account required /lib/secuirty/pam_winbind.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so |
#vi /etc/pam.d/samba #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth-winbind account required pam_stack.so service=system-auth-winbind session required pam_stack.so service=system-auth-winbind password required pam_stack.so service=system-auth-winbind |
#vi /etc/pam.d/squid #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth-winbind account required /lib/security/pam_stack.so service=system-auth-winbind |
#./configure --prefix=/usr --datadir=/usr/share --localstatedir=/var --sysconfdir=/etc/squid --infodir=/usr/share/info --mandir=/usr/share/man --enable-snmp --enable-ssl --enable-auth=ntlm,basic <---- this is the one that's important --enable-external-acl-helpers=wbinfo_group #make #make install |
auth_param ntlm
program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours #Add your ACL: acl yourdomain proxy_auth REQUIRED #Modify your http_access lines to include “yourdomain” http_access allow yourdomain http_access deny all |
# squid -f /etc/squid/squid.conf |
root
31715 1 0 Mar08
? 00:00:00 squid -f
/etc/squid/squid.conf nobody 31717 31715 0 Mar08 ? 00:06:15 (squid) -f /etc/squid/squid.conf nobody 31726 31717 0 Jan08 ? 00:00:10 (ntlm_auth) --helper-protocol=sq nobody 31727 31717 0 Jan08 ? 00:00:01 (ntlm_auth) --helper-protocol=sq nobody 31728 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31729 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31730 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31731 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31732 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31733 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31734 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq nobody 31735 31717 0 Jan08 ? 00:00:00 (ntlm_auth) --helper-protocol=sq |