LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   squid + winbind + samba + active directory (https://www.linuxquestions.org/questions/linux-newbie-8/squid-winbind-samba-active-directory-826338/)

fernfrancis 08-15-2010 07:20 AM

squid + winbind + samba + active directory
 
Hi i am trying to configure samba with active directory configuration , I am using the configuration steps from this website http://www.torridnetworks.com/index....ntication.html
the problem is that i get connected to domain but i cant get to see the users and groups please read below

/etc/hosts
127.0.0.1 localhost.localdomain localhost
10.200.2.181 proxy.francistest.com PROXY
10.200.22.65 pdclinuxtest.francistest.com pdclinuxtest

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FRANCISTEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
FRANCISTEST.COM = {
kdc = pdclinuxtest.francistest.com
admin_server = pdclinuxtest.francistest.com
default_domain = FRANCISTEST.COM
kpasswd_server = pdclinuxtest.francistest.com
}

[domain_realm]
.francistest.com = francistest.com

[kdc]
profile = /var/kerberos/krb6kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/samba/smb.conf

workgroup = FRANCISTEST
server string = PROXY
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = 10.200.22.65
realm = FRANCISTEST.COM
dns proxy = no


net join -S 10.200.22.65 -U administrator
administrator's password:
Using short domain name -- FRANCISTEST
DNS update failed!
Joined 'PROXY' to realm 'FRANCISTEST.COM'


[root@proxy ~]# wbinfo -t
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret
[root@proxy ~]# wbinfo -u
Error looking up domain users
[root@proxy ~]# wbinfo -g
Error looking up domain groups

I am using cent os 5.4
please help

quanta 08-15-2010 08:40 AM

Did you create Windows machine account on Samba server?
Code:

smbpasswd -a -m computer_name

fernfrancis 08-17-2010 12:32 AM

Hi
I solved the problem using these sites , very informative if anyone else is trying this do read this before implemetation
http://www.justlinux.com/forum/showt...hreadid=118288
http://www.justlinux.com/forum/showt...hreadid=118512

my problem now is configuring squid
can anyone help me with this , the requirement is
there is a dhcp server which assign IP to machine irrespective of user
users login through client using Active directory credentials , once logged in they must be able to browse websites depending on the acl for that user
this is so far what i have done, the conf file is given below as attachment
please help

fernfrancis 08-17-2010 12:35 AM

1 Attachment(s)
attachment
i also want to tell that my Active directory is based on basic authentication, so i need to use basic authentication not ntlm or ldap for squid configuration

fernfrancis 08-17-2010 09:08 AM

I have configures squid proxy with authentication which works fine , the users are joined to the domain , now i want that when a user login the same credentials must be used by the browser and it should not prompt for username and password (i.e it should automatically take the credentials of the person who is logged in)
please help me
the config file is attached

fernfrancis 08-17-2010 11:48 PM

HI Guys any update

fernfrancis 08-19-2010 12:20 AM

Hi
i have managed to solve my problem only one parameters in squid had to be enabled
ie auth_param ntlm keep_alive on

now i need somone to help me create a user access control list based on the users in active directory ,we have around 3000 users some users need full access , some limited access how can i achieve this , we have a dhcp server so the acl cant be by IP it should be by usernames in active directory

please help me with this

*CiScO* 10-18-2010 04:02 AM

If you want you can manage your 3000 users' web access if they are spreaded by OU with something like this in your squid.conf :

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAINEAD\\group-ad

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=DOMAINEAD\\group-ad


and after you can allow or deny access, with time parameters for instance per group-ad by creating an acl for each one

fernfrancis 10-19-2010 06:54 AM

thanx CiScO
can u tell me how to create the acl on user basis

i dont know how to prepare the acl based on users.


All times are GMT -5. The time now is 06:29 PM.