squid(NTLM)設定


ここでは、squidをNTLM認証に対応させるための設定をします。

(1)必要なパッケージをインストールする。
[root@example ~]# yum -y install samba samba-winbind samba-common krb5-libs pam_krb5

(2)hostsにADサーバを追加する。
[root@example ~]# vi /etc/hosts
192.168.0.98    kurobuti-ad-server.kurobuti.local # 追加
※ADサーバの名前解決ができない場合のみに追加する。

(3)ADサーバにProxyサーバを登録する。
[root@example ~]# authconfig  --update --enablewinbind --enablekrb5 --enablewinbindauth \
--krb5realm=KUROBUTI.LOCAL --krb5kdc=kurobuti-ad-server.kurobuti.local \
--krb5adminserver=kurobuti-ad-server.kurobuti.local --smbsecurity=ads \
--smbrealm=KUROBUTI.LOCAL --winbindtemplateshell=/sbin/nologin \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" \
--krb5kdc=kurobuti-ad-server.kurobuti.local --smbworkgroup=KUROBUTI \
--winbindjoin=Administrator --smbservers=kurobuti-ad-server.kurobuti.local \
--winbindseparator=+

authconfig: Authentication module /lib64/security/pam_fprintd.so is missing. Authentication process might not work correctly.
[/usr/bin/net join -w KUROBUTI -S kurobuti-ad-server.kurobuti.local -U Administrator]
Enter Administrator's password: # ADのAdministratorパスワードを入力
Using short domain name -- KUROBUTI
Joined 'EXAMPLE' to realm 'kurobuti.local'
No DNS domain configured for example. Unable to perform DNS Update.
DNS update failed!
Winbind サービスを起動中:                                  [  OK  ]

※「authconfig-tui」で設定する場合は下記アドレスを参照してください。
http://www.kurobuti.com/blog/?p=4594

※「authconfig」のヘルプを見る場合。
[root@example ~]# LANG=en_US.UTF8 authconfig

・上記(3)コマンドで変更されるファイルと内容
- /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = KUROBUTI.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

 KUROBUTI.LOCAL = {
  kdc = kurobuti-ad-server.kurobuti.local
  admin_server = kurobuti-ad-server.kurobuti.local
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 kurobuti.local = KUROBUTI.LOCAL
 .kurobuti.local = KUROBUTI.LOCAL

- /etc/samba/smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]
#--authconfig--start-line--

# Generated by authconfig on 2011/10/10 19:20:29
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = KUROBUTI
   password server = kurobuti-ad-server.kurobuti.local
   realm = KUROBUTI.LOCAL
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind separator = +
   template shell = /sbin/nologin
   winbind use default domain = false
   winbind offline logon = false

#--authconfig--end-line--

# ----------------------- Netwrok Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
;       workgroup = MYGROUP
        server string = Samba Server Version %v

;       netbios name = MYSERVER

;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;       hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

;       security = user
        passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;       security = domain
;       passdb backend = tdbsam
;       realm = MY_REALM

;       password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;       security = user
;       passdb backend = tdbsam

;       domain master = yes
;       domain logons = yes

        # the login script name depends on the machine name
;       logon script = %m.bat
        # the login script name depends on the unix user used
;       logon script = %u.bat
;       logon path = \\%L\Profiles\%u
        # disables profiles support by specifing an empty path
;       logon path =

;       add user script = /usr/sbin/useradd "%u" -n -g users
;       add group script = /usr/sbin/groupadd "%g"
;       add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;       delete user script = /usr/sbin/userdel "%u"
;       delete user from group script = /usr/sbin/userdel "%u" "%g"
;       delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;       local master = no
;       os level = 33
;       preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one        WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;       wins support = yes
;       wins server = w.x.y.z
;       wins proxy = yes

;       dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

        load printers = yes
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;       map archive = no
;       map hidden = no
;       map read only = no
;       map system = no
;       store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
;       valid users = %S
;       valid users = MYDOMAIN\%S

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
;       [netlogon]
;       comment = Network Logon Service
;       path = /var/lib/samba/netlogon
;       guest ok = yes
;       writable = no
;       share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;       [Profiles]
;       path = /var/lib/samba/profiles
;       browseable = no
;       guest ok = yes


# A publicly accessible directory, but read only, except for people in
# the "staff" group
;       [public]
;       comment = Public Stuff
;       path = /home/samba
;       public = yes
;       writable = yes
;       printable = no
;       write list = +staff

- /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus


(4)ADを認識しているか、また接続できているかを確認する。
[root@example ~]# net ads info
LDAP server: 192.168.0.98
LDAP server name: kurobuti-ad-server.kurobuti.local
Realm: KUROBUTI.LOCAL
Bind Path: dc=KUROBUTI,dc=LOCAL
LDAP port: 389
Server time: 月, 10 10月 2011 19:21:07 JST
KDC server: 192.168.0.98
Server time offset: 0

[root@example ~]# wbinfo -t
checking the trust secret for domain KUROBUTI via RPC calls succeeded

(5)ADに登録されているユーザー、グループ情報を取得する。
[root@example ~]# wbinfo -u
KUROBUTI+administrator
KUROBUTI+guest
KUROBUTI+krbtgt
KUROBUTI+test_user
[root@example ~]# wbinfo -g
KUROBUTI+domain computers
KUROBUTI+domain controllers
KUROBUTI+schema admins
KUROBUTI+enterprise admins
KUROBUTI+cert publishers
KUROBUTI+domain admins
KUROBUTI+domain users
KUROBUTI+domain guests
KUROBUTI+group policy creator owners
KUROBUTI+ras and ias servers
KUROBUTI+allowed rodc password replication group
KUROBUTI+denied rodc password replication group
KUROBUTI+read-only domain controllers
KUROBUTI+enterprise read-only domain controllers
KUROBUTI+dnsadmins
KUROBUTI+dnsupdateproxy

(6)ADに登録されているユーザーで認証してみる。
[root@example ~]# wbinfo --authenticate=test_user%PassWord123
plaintext password authentication failed
Could not authenticate user test_user%PassWord123 with plaintext password
challenge/response password authentication succeeded

※ハイライト部分が失敗するのは、NTLMv2は暗号化(ハッシュ化)して扱うためだと思われます。(たぶん・・・)
※チャレンジレスポンスは成功しています。

(7)squidの設定を修正する。
[root@example ~]# vi /etc/squid/squid.conf
#--以下を先頭にでも追加--#
# NTLM authentication settings.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
#--ここまで--#

http_access allow localnet
↓ # 変更
http_access allow password localnet

※ntlm認証で失敗した時ようにbasicも設定しておきます。
※squid-3.1.4以上を利用する場合「auth_param ntlm keep_alive off」にしないと複数回認証(クライアントがAD認証していない場合)が求められます。


(8)squidユーザーにwbprivグループを追加する。
[root@example ~]# usermod -G wbpriv squid
[root@example ~]# id squid
uid=23(squid) gid=23(squid) 所属グループ=23(squid),88(wbpriv)
※「cache_effective_group」で指定した方が確実かも。

(9)squidをリロードする。
[root@example ~]# /etc/rc.d/init.d/squid reload

(10)各種サービスを起動する。
[root@example squid]# /etc/rc.d/init.d/smb start
SMB サービスを起動中:                                      [  OK  ]
[root@example squid]# chkconfig smb on
[root@example squid]# chkconfig winbind on
[root@example squid]# chkconfig squid on

(11)試しにクライアントマシンからProxyサーバ経由でWebページを閲覧する時に、認証が出るか確認する。また、認証が出た際、ユーザー名、パスワードを入力して認証が通ることを確認する。
ユーザー名: KUROBUTI\test_user
パスワード: ********(設定したパスワード)

Comments are closed.