squid + winbind + samba + active directory
Hi i am trying to configure samba with active directory configuration , I am using the configuration steps from this website http://www.torridnetworks.com/index....ntication.html
the problem is that i get connected to domain but i cant get to see the users and groups please read below /etc/hosts 127.0.0.1 localhost.localdomain localhost 10.200.2.181 proxy.francistest.com PROXY 10.200.22.65 pdclinuxtest.francistest.com pdclinuxtest /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FRANCISTEST.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] FRANCISTEST.COM = { kdc = pdclinuxtest.francistest.com admin_server = pdclinuxtest.francistest.com default_domain = FRANCISTEST.COM kpasswd_server = pdclinuxtest.francistest.com } [domain_realm] .francistest.com = francistest.com [kdc] profile = /var/kerberos/krb6kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/samba/smb.conf workgroup = FRANCISTEST server string = PROXY security = ADS auth methods = winbind encrypt passwords = yes idmap uid = 70001-90000 winbind enum users = yes winbind gid = 70001-90000 winbind enum groups = yes client use spnego = yes winbind separator = \\ load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 password server = 10.200.22.65 realm = FRANCISTEST.COM dns proxy = no net join -S 10.200.22.65 -U administrator administrator's password: Using short domain name -- FRANCISTEST DNS update failed! Joined 'PROXY' to realm 'FRANCISTEST.COM' [root@proxy ~]# wbinfo -t checking the trust secret via RPC calls failed error code was (0x0) Could not check secret [root@proxy ~]# wbinfo -u Error looking up domain users [root@proxy ~]# wbinfo -g Error looking up domain groups I am using cent os 5.4 please help |
Did you create Windows machine account on Samba server?
Code:
smbpasswd -a -m computer_name |
Hi
I solved the problem using these sites , very informative if anyone else is trying this do read this before implemetation http://www.justlinux.com/forum/showt...hreadid=118288 http://www.justlinux.com/forum/showt...hreadid=118512 my problem now is configuring squid can anyone help me with this , the requirement is there is a dhcp server which assign IP to machine irrespective of user users login through client using Active directory credentials , once logged in they must be able to browse websites depending on the acl for that user this is so far what i have done, the conf file is given below as attachment please help |
1 Attachment(s)
attachment
i also want to tell that my Active directory is based on basic authentication, so i need to use basic authentication not ntlm or ldap for squid configuration |
I have configures squid proxy with authentication which works fine , the users are joined to the domain , now i want that when a user login the same credentials must be used by the browser and it should not prompt for username and password (i.e it should automatically take the credentials of the person who is logged in)
please help me the config file is attached |
HI Guys any update
|
Hi
i have managed to solve my problem only one parameters in squid had to be enabled ie auth_param ntlm keep_alive on now i need somone to help me create a user access control list based on the users in active directory ,we have around 3000 users some users need full access , some limited access how can i achieve this , we have a dhcp server so the acl cant be by IP it should be by usernames in active directory please help me with this |
If you want you can manage your 3000 users' web access if they are spreaded by OU with something like this in your squid.conf :
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAINEAD\\group-ad auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=DOMAINEAD\\group-ad and after you can allow or deny access, with time parameters for instance per group-ad by creating an acl for each one |
thanx CiScO
can u tell me how to create the acl on user basis i dont know how to prepare the acl based on users. |
All times are GMT -5. The time now is 06:29 PM. |