ここでは、squidをNTLM認証に対応させるための設定をします。
(1)必要なパッケージをインストールする。
[root@example ~]# yum -y install samba samba-winbind samba-common krb5-libs pam_krb5
(2)hostsにADサーバを追加する。
[root@example ~]# vi /etc/hosts 192.168.0.98 kurobuti-ad-server.kurobuti.local # 追加※ADサーバの名前解決ができない場合のみに追加する。
(3)ADサーバにProxyサーバを登録する。
[root@example ~]# authconfig --update --enablewinbind --enablekrb5 --enablewinbindauth \ --krb5realm=KUROBUTI.LOCAL --krb5kdc=kurobuti-ad-server.kurobuti.local \ --krb5adminserver=kurobuti-ad-server.kurobuti.local --smbsecurity=ads \ --smbrealm=KUROBUTI.LOCAL --winbindtemplateshell=/sbin/nologin \ --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" \ --krb5kdc=kurobuti-ad-server.kurobuti.local --smbworkgroup=KUROBUTI \ --winbindjoin=Administrator --smbservers=kurobuti-ad-server.kurobuti.local \ --winbindseparator=+ authconfig: Authentication module /lib64/security/pam_fprintd.so is missing. Authentication process might not work correctly. [/usr/bin/net join -w KUROBUTI -S kurobuti-ad-server.kurobuti.local -U Administrator] Enter Administrator's password: # ADのAdministratorパスワードを入力 Using short domain name -- KUROBUTI Joined 'EXAMPLE' to realm 'kurobuti.local' No DNS domain configured for example. Unable to perform DNS Update. DNS update failed! Winbind サービスを起動中: [ OK ]
※「authconfig-tui」で設定する場合は下記アドレスを参照してください。
http://www.kurobuti.com/blog/?p=4594
※「authconfig」のヘルプを見る場合。
[root@example ~]# LANG=en_US.UTF8 authconfig
・上記(3)コマンドで変更されるファイルと内容
- /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = KUROBUTI.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } KUROBUTI.LOCAL = { kdc = kurobuti-ad-server.kurobuti.local admin_server = kurobuti-ad-server.kurobuti.local } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM kurobuti.local = KUROBUTI.LOCAL .kurobuti.local = KUROBUTI.LOCAL
- /etc/samba/smb.conf
# This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # For a step to step guide on installing, configuring and using samba, # read the Samba-HOWTO-Collection. This may be obtained from: # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf # # Many working examples of smb.conf files can be found in the # Samba-Guide which is generated daily and can be downloaded from: # http://www.samba.org/samba/docs/Samba-Guide.pdf # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # #--------------- # SELINUX NOTES: # # If you want to use the useradd/groupadd family of binaries please run: # setsebool -P samba_domain_controller on # # If you want to share home directories via samba please run: # setsebool -P samba_enable_home_dirs on # # If you create a new directory you want to share you should mark it as # "samba-share_t" so that selinux will let you write into it. # Make sure not to do that on system directories as they may already have # been marked with othe SELinux labels. # # Use ls -ldZ /path to see which context a directory has # # Set labels only on directories you created! # To set a label use the following: chcon -t samba_share_t /path # # If you need to share a system created directory you can use one of the # following (read-only/read-write): # setsebool -P samba_export_all_ro on # or # setsebool -P samba_export_all_rw on # # If you want to run scripts (preexec/root prexec/print command/...) please # put them into the /var/lib/samba/scripts directory so that smbd will be # allowed to run them. # Make sure you COPY them and not MOVE them so that the right SELinux context # is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts # #-------------- # #======================= Global Settings ===================================== [global] #--authconfig--start-line-- # Generated by authconfig on 2011/10/10 19:20:29 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = KUROBUTI password server = kurobuti-ad-server.kurobuti.local realm = KUROBUTI.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + template shell = /sbin/nologin winbind use default domain = false winbind offline logon = false #--authconfig--end-line-- # ----------------------- Netwrok Related Options ------------------------- # # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH # # server string is the equivalent of the NT Description field # # netbios name can be used to specify a server name not tied to the hostname # # Interfaces lets you configure Samba to use multiple interfaces # If you have multiple network interfaces then you can list the ones # you want to listen on (never omit localhost) # # Hosts Allow/Hosts Deny lets you restrict who can connect, and you can # specifiy it as a per share option as well # ; workgroup = MYGROUP server string = Samba Server Version %v ; netbios name = MYSERVER ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 ; hosts allow = 127. 192.168.12. 192.168.13. # --------------------------- Logging Options ----------------------------- # # Log File let you specify where to put logs and how to split them up. # # Max Log Size let you specify the max size log files should reach # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 # ----------------------- Standalone Server Options ------------------------ # # Scurity can be set to user, share(deprecated) or server(deprecated) # # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. ; security = user passdb backend = tdbsam # ----------------------- Domain Members Options ------------------------ # # Security must be set to domain or ads # # Use the realm option only with security = ads # Specifies the Active Directory realm the host is part of # # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. # # Use password server option only with security = server or if you can't # use the DNS to locate Domain Controllers # The argument list may include: # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] # or to auto-locate the domain controller/s # password server = * ; security = domain ; passdb backend = tdbsam ; realm = MY_REALM ; password server = <NT-Server-Name> # ----------------------- Domain Controller Options ------------------------ # # Security must be set to user for domain controllers # # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. # # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job # # Domain Logons let Samba be a domain logon server for Windows workstations. # # Logon Scrpit let yuou specify a script to be run at login time on the client # You need to provide it in a share called NETLOGON # # Logon Path let you specify where user profiles are stored (UNC path) # # Various scripts can be used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts # ; security = user ; passdb backend = tdbsam ; domain master = yes ; domain logons = yes # the login script name depends on the machine name ; logon script = %m.bat # the login script name depends on the unix user used ; logon script = %u.bat ; logon path = \\%L\Profiles\%u # disables profiles support by specifing an empty path ; logon path = ; add user script = /usr/sbin/useradd "%u" -n -g users ; add group script = /usr/sbin/groupadd "%g" ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" ; delete user script = /usr/sbin/userdel "%u" ; delete user from group script = /usr/sbin/userdel "%u" "%g" ; delete group script = /usr/sbin/groupdel "%g" # ----------------------- Browser Control Options ---------------------------- # # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply # # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable # # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election ; local master = no ; os level = 33 ; preferred master = yes #----------------------------- Name Resolution ------------------------------- # Windows Internet Name Serving Support Section: # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both # # - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server # # - WINS Server: Tells the NMBD components of Samba to be a WINS Client # # - WINS Proxy: Tells Samba to answer name resolution queries on # behalf of a non WINS capable client, for this to work there must be # at least one WINS Server on the network. The default is NO. # # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. ; wins support = yes ; wins server = w.x.y.z ; wins proxy = yes ; dns proxy = yes # --------------------------- Printing Options ----------------------------- # # Load Printers let you load automatically the list of printers rather # than setting them up individually # # Cups Options let you pass the cups libs custom options, setting it to raw # for example will let you use drivers on your Windows clients # # Printcap Name let you specify an alternative printcap file # # You can choose a non default printing system using the Printing option load printers = yes cups options = raw ; printcap name = /etc/printcap #obtain list of printers automatically on SystemV ; printcap name = lpstat ; printing = cups # --------------------------- Filesystem Options --------------------------- # # The following options can be uncommented if the filesystem supports # Extended Attributes and they are enabled (usually by the mount option # user_xattr). Thess options will let the admin store the DOS attributes # in an EA and make samba not mess with the permission bits. # # Note: these options can also be set just per share, setting them in global # makes them the default for all shares ; map archive = no ; map hidden = no ; map read only = no ; map system = no ; store dos attributes = yes #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes ; valid users = %S ; valid users = MYDOMAIN\%S [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes # Un-comment the following and create the netlogon directory for Domain Logons ; [netlogon] ; comment = Network Logon Service ; path = /var/lib/samba/netlogon ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ; [Profiles] ; path = /var/lib/samba/profiles ; browseable = no ; guest ok = yes # A publicly accessible directory, but read only, except for people in # the "staff" group ; [public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = yes ; printable = no ; write list = +staff
- /etc/nsswitch.conf
# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus
(4)ADを認識しているか、また接続できているかを確認する。
[root@example ~]# net ads info LDAP server: 192.168.0.98 LDAP server name: kurobuti-ad-server.kurobuti.local Realm: KUROBUTI.LOCAL Bind Path: dc=KUROBUTI,dc=LOCAL LDAP port: 389 Server time: 月, 10 10月 2011 19:21:07 JST KDC server: 192.168.0.98 Server time offset: 0 [root@example ~]# wbinfo -t checking the trust secret for domain KUROBUTI via RPC calls succeeded
(5)ADに登録されているユーザー、グループ情報を取得する。
[root@example ~]# wbinfo -u KUROBUTI+administrator KUROBUTI+guest KUROBUTI+krbtgt KUROBUTI+test_user [root@example ~]# wbinfo -g KUROBUTI+domain computers KUROBUTI+domain controllers KUROBUTI+schema admins KUROBUTI+enterprise admins KUROBUTI+cert publishers KUROBUTI+domain admins KUROBUTI+domain users KUROBUTI+domain guests KUROBUTI+group policy creator owners KUROBUTI+ras and ias servers KUROBUTI+allowed rodc password replication group KUROBUTI+denied rodc password replication group KUROBUTI+read-only domain controllers KUROBUTI+enterprise read-only domain controllers KUROBUTI+dnsadmins KUROBUTI+dnsupdateproxy
(6)ADに登録されているユーザーで認証してみる。
[root@example ~]# wbinfo --authenticate=test_user%PassWord123 plaintext password authentication failed Could not authenticate user test_user%PassWord123 with plaintext password challenge/response password authentication succeeded
※ハイライト部分が失敗するのは、NTLMv2は暗号化(ハッシュ化)して扱うためだと思われます。(たぶん・・・)
※チャレンジレスポンスは成功しています。
(7)squidの設定を修正する。
[root@example ~]# vi /etc/squid/squid.conf #--以下を先頭にでも追加--# # NTLM authentication settings. auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED #--ここまで--# http_access allow localnet ↓ # 変更 http_access allow password localnet
※ntlm認証で失敗した時ようにbasicも設定しておきます。
※squid-3.1.4以上を利用する場合「auth_param ntlm keep_alive off」にしないと複数回認証(クライアントがAD認証していない場合)が求められます。
(8)squidユーザーにwbprivグループを追加する。
[root@example ~]# usermod -G wbpriv squid [root@example ~]# id squid uid=23(squid) gid=23(squid) 所属グループ=23(squid),88(wbpriv)※「cache_effective_group」で指定した方が確実かも。
(9)squidをリロードする。
[root@example ~]# /etc/rc.d/init.d/squid reload
(10)各種サービスを起動する。
[root@example squid]# /etc/rc.d/init.d/smb start SMB サービスを起動中: [ OK ] [root@example squid]# chkconfig smb on [root@example squid]# chkconfig winbind on [root@example squid]# chkconfig squid on
(11)試しにクライアントマシンからProxyサーバ経由でWebページを閲覧する時に、認証が出るか確認する。また、認証が出た際、ユーザー名、パスワードを入力して認証が通ることを確認する。
ユーザー名: KUROBUTI\test_user
パスワード: ********(設定したパスワード)