Reliable Penguin

Linux Server Migrations, Systems Administration & Programming
 

Category: Samba File Server

07/26/04

Permalink 08:21:53 am, by admin Email , 638 words   English (US)
Categories: Install Notes, Squid Proxy, Samba File Server

Squid + NTLM

Setup working directory

> mkdir /root/squid
> cd /root/squid

Download squid and samba

> wget http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE3.tar.gz
> wget http://us2.samba.org/samba/ftp/samba-latest.tar.gz

Unpack squid and samba

> tar -xvzf squid-2.5.STABLE3.tar.gz
> tar -xvzf samba-latest.tar.gz

Build samba

> cd samba-2.2.8a/source
> ./configure --with-winbind --with-winbind-auth-challenge
> make
> make install

Configure samba

> cd /root/samba-2.2.8.a/examples/simple
> cp smb.conf /usr/local/samba/lib/
> emacs /usr/local/samba/lib/smb.conf

Add the following lines to the [global] section of the smb.conf file:

    encrypt passwords = true
    workgroup = RELIABLEPENGUIN
    password server = ADTEST
    security = domain
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes

Replace RELIABLEPENGUIN and ADTEST with the name of the domain and pdc to
be used for this install. Press Ctrl-X Ctrl-C to save and exit emacs.

Comment out entirely the [homes] and [printers] sections.

Join the server to the windows domain.

> ./smbpasswd -j RELIABLEPENGUIN -r ADTEST -U Administrator

Start the samba services:

> /usr/local/samba/bin/nmbd
> /usr/local/samba/bin/winbindd

Test and verify proper operation:

> /usr/local/samba/bin/wbinfo -t
Secret is good

If wbinfo returns "Secret is bad" then run the above command to join the domain
again.

> /usr/local/samba/bin/wbinfo -a RELIABLEPENGUIN\\Administrator%testing
plaintext password authentication succeeded
challenge/response password authentication succeeded

If you get and error then there is something wrong with the domain membership.

Now build squid:

> cd /root/squid/squid-2.5.STABLE3
> ./configure --enable-auth="ntlm,basic" \
     --enable-basic-auth-helpers="winbind" \
     --enable-ntlm-auth-helpers="winbind" \
     --sysconfdir=/etc/squid \
     --sbindir=/usr/sbin \
     --bindir=/usr/sbin \
     --libexecdir=/usr/lib/squid \
     --datadir=/usr/share/squid \
     --localstatedir=/var/run \
     --mandir=/usr/share/man
> make
> make install

Test the winbind helper:

> /usr/lib/squid/wb_auth -d
/wb_auth[16936](wb_basic_auth.c:168): basic winbindd auth helper build Jun  3 2003, 12:03:17 starting up...
RELIABLEPENGUIN\Administrator testing
/wb_auth[16936](wb_basic_auth.c:129): Got 'RELIABLEPENGUIN\Administrator testing' from squid (length: 37).
/wb_auth[16936](wb_basic_auth.c:55): winbindd result: 1
/wb_auth[16936](wb_basic_auth.c:58): sending 'OK' to squid
OK

Now configure squid to use the helper.
Edit /etc/squid/squid.conf and add the following lines:

  pid_filename /var/run/squid.pid

  ....

  cache_dir ufs /var/cache/squid 5000 16 256

  ....

  cache_access_log /var/log/squid/access.log

  ....

  cache_log /var/log/squid/cache.log

  ....

  cache_store_log /var/log/squid/store.log

  ....

  auth_param ntlm program /usr/lib/squid/wb_ntlmauth
  auth_param ntlm children 5
  auth_param ntlm max_challenge_reuses 0
  auth_param ntlm max_challenge_lifetime 2 minutes

  auth_param basic program /usr/lib/squid/wb_auth
  auth_param basic children 5
  auth_param basic realm Squid proxy-caching web server
  auth_param basic credentialsttl 2 hours

  ....

  acl localnetwork src 10.0.0.0/255.0.0.0
  acl password proxy_auth REQUIRED

  ....

  http_access allow password
  http_access allow localnetwork

Do squid cache setup:

> cd /var/cache
> mkdir squid
> chgrp squid squid
> chmod g+w squid
> squid -z

Do squid logs setup:

> cd /var/log
> mkdir squid
> chgrp squid squid
> chmod g+w squid

Setup squid and samba to start on boot:

The stock startup file distributed by redhat with squid is sufficient
for starting squid. This file is located at /etc/init.d/squid. If the file
does not exists on the target system then copy from another system or extract
from the redhat squid rpm.

A custom startup script is required for samba since we're not acting as a file
server - just nmbd and winbind. A suitable file is located at /etc/init.d/samba.
Copy this file to the target system.

Now symlink the startup scripts into the rc dirctories:

ln -s ../init.d/squid /etc/rc3.d/S25squid
ln -s ../init.d/samba /etc/rc3.d/S24samba
ln -s ../init.d/squid /etc/rc3.d/K25squid
ln -s ../init.d/samba /etc/rc3.d/K24samba

And that does it.
PermalinkPermalink
July 2010
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Reliable Penguin

Reliable Penguin offers Linux Server Migrations, Systems Administration & Programming. Visit our main website at:

http://www.reliablepenguin.com

Search

Bookmark and Share

Categories

XML Feeds

More on RSS
powered by b2evolution