LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-15-2010, 07:20 AM   #1
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Rep: Reputation: 18
squid + winbind + samba + active directory


Hi i am trying to configure samba with active directory configuration , I am using the configuration steps from this website http://www.torridnetworks.com/index....ntication.html
the problem is that i get connected to domain but i cant get to see the users and groups please read below

/etc/hosts
127.0.0.1 localhost.localdomain localhost
10.200.2.181 proxy.francistest.com PROXY
10.200.22.65 pdclinuxtest.francistest.com pdclinuxtest

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FRANCISTEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
FRANCISTEST.COM = {
kdc = pdclinuxtest.francistest.com
admin_server = pdclinuxtest.francistest.com
default_domain = FRANCISTEST.COM
kpasswd_server = pdclinuxtest.francistest.com
}

[domain_realm]
.francistest.com = francistest.com

[kdc]
profile = /var/kerberos/krb6kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/samba/smb.conf

workgroup = FRANCISTEST
server string = PROXY
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = 10.200.22.65
realm = FRANCISTEST.COM
dns proxy = no


net join -S 10.200.22.65 -U administrator
administrator's password:
Using short domain name -- FRANCISTEST
DNS update failed!
Joined 'PROXY' to realm 'FRANCISTEST.COM'


[root@proxy ~]# wbinfo -t
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret
[root@proxy ~]# wbinfo -u
Error looking up domain users
[root@proxy ~]# wbinfo -g
Error looking up domain groups

I am using cent os 5.4
please help
 
Old 08-15-2010, 08:40 AM   #2
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Did you create Windows machine account on Samba server?
Code:
smbpasswd -a -m computer_name
 
Old 08-17-2010, 12:32 AM   #3
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Original Poster
Rep: Reputation: 18
Hi
I solved the problem using these sites , very informative if anyone else is trying this do read this before implemetation
http://www.justlinux.com/forum/showt...hreadid=118288
http://www.justlinux.com/forum/showt...hreadid=118512

my problem now is configuring squid
can anyone help me with this , the requirement is
there is a dhcp server which assign IP to machine irrespective of user
users login through client using Active directory credentials , once logged in they must be able to browse websites depending on the acl for that user
this is so far what i have done, the conf file is given below as attachment
please help
 
Old 08-17-2010, 12:35 AM   #4
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Original Poster
Rep: Reputation: 18
attachment
i also want to tell that my Active directory is based on basic authentication, so i need to use basic authentication not ntlm or ldap for squid configuration
Attached Files
File Type: txt squid.txt (152.2 KB, 14 views)
 
Old 08-17-2010, 09:08 AM   #5
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Original Poster
Rep: Reputation: 18
I have configures squid proxy with authentication which works fine , the users are joined to the domain , now i want that when a user login the same credentials must be used by the browser and it should not prompt for username and password (i.e it should automatically take the credentials of the person who is logged in)
please help me
the config file is attached
 
Old 08-17-2010, 11:48 PM   #6
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Original Poster
Rep: Reputation: 18
HI Guys any update
 
Old 08-19-2010, 12:20 AM   #7
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Original Poster
Rep: Reputation: 18
Hi
i have managed to solve my problem only one parameters in squid had to be enabled
ie auth_param ntlm keep_alive on

now i need somone to help me create a user access control list based on the users in active directory ,we have around 3000 users some users need full access , some limited access how can i achieve this , we have a dhcp server so the acl cant be by IP it should be by usernames in active directory

please help me with this
 
Old 10-18-2010, 04:02 AM   #8
*CiScO*
LQ Newbie
 
Registered: Oct 2010
Location: France
Distribution: debian-free BSD
Posts: 5

Rep: Reputation: 0
If you want you can manage your 3000 users' web access if they are spreaded by OU with something like this in your squid.conf :

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAINEAD\\group-ad

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=DOMAINEAD\\group-ad


and after you can allow or deny access, with time parameters for instance per group-ad by creating an acl for each one
 
Old 10-19-2010, 06:54 AM   #9
fernfrancis
Member
 
Registered: Feb 2009
Location: Goa(India)-Sharjah(UAE)
Distribution: RHEL,centos,fedora,ubuntu
Posts: 224

Original Poster
Rep: Reputation: 18
thanx CiScO
can u tell me how to create the acl on user basis

i dont know how to prepare the acl based on users.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba/Active Directory/SLES 10/Winbind/Kerberos StupidNewbie Linux - Server 4 03-17-2010 08:22 AM
User mapping on RHEL AS 4.6 with Samba/Winbind to Active Directory ? GoBieN Linux - Server 1 04-03-2009 05:34 AM
Active Directory groups via Samba/Winbind? dsdonut Linux - Newbie 3 01-23-2009 03:26 PM
replacing active directory when using samba and winbind wastingtime Linux - Server 0 09-14-2008 03:20 PM
Samba 3.0.4 with winbind and active directory upgrade problem jhibbets Red Hat 0 08-16-2004 11:24 AM


All times are GMT -5. The time now is 05:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration