Squid proxy server that implements transparent verification with Windows AD

A Squid Proxy Server is built on FreeBSD To implement transparent user verification with Windows 2003 domains. That is to say, if the client logs on as a domain user, it can directly browse through the proxy. If the client is not a domain user, you must enter the domain user password before accessing the Internet.
Although there are some introductions in this regard on the Internet, the environments may be different, so they are not necessarily applicable. I have been exploring for a few days to make it a success. In some cases, I am still confused and will study it slowly in the future. Write down the entire installation and configuration process for reference.
The OS is FreeBSD 7.2. The host name is bsd1.abc.com; os5 and OpenLDAP are required; others do not seem to have any requirements.
The Windows domain name is abc.com, And the NetBIOS name is ABC.

1. Configure os5
1. The configuration file of kerberos5 is/etc/krb5.conf. The content is as follows:
[Logging]
Default = file:/var/log/krb5libs. Log
KDC = file:/var/log/lrb5kdc. Log
Admin_server = file:/var/log/kadmind. Log

[Libdefaults]
Default_realm = ABC. com # Windows domain name, which must be in uppercase

# If FreeBSD is configured with a Windows Domain DNS server, the following two dns_lookup items can be set to true, that is, information such as the domain controller is automatically queried through DNS;
# If this parameter is set to false, use the configuration in the [realm] section to set Domain Controller information.
Dns_lookup_realm = false
Dns_lookup_kdb = false

[Realms]
ABC. com = {
KDC = dc1.abc.com: 88 dc2.abc.com: 88 # domain controller, which can write IP addresses. Separate multiple DC addresses with spaces. If the preceding dns_lookup parameter is set to true, this parameter is not required.
Default_domain = ABC. com # Windows domain name, which must be in uppercase
}

2. Use kinit to verify whether the Kerberos configuration is successful. If the command succeeds, the result is as follows:
Bsd1 # kinit Administrator (verify the Windows domain administrator user)
Administrator@ABC.COM's password: (enter the administrator password)
Kinit: Notice: Ticket renewable lifetime is 1 week (if you see this line, congratulations, Kerberos configuration is successful)

Ii. install and configure samba
I use version 3.3.4 to download the source code package from the samba official website. -- Why not use the built-in FreeBSD? -- This is not done.

1. decompress the source code package, compile and install it. It's easy for everyone.
Samba-3.3.4.tar.gz bsd1 # tar zxvf
Bsd1 # cd samba-3.3.4/source
Bsd1 #./configure -- With-ads -- With-winbind (-- With-ads -- With-winbind)
Bsd1 # Make
Bsd1 # make install

2. After Samba is installed, configure Samba. The Samba configuration file under FreeBSD is/usr/local/samba/lib/smb. conf. The content is as follows:
[Global]
NetBIOS name = bsd1 # NetBIOS Name of the Local Computer in the Windows Network
Workgroup = ABC # NetBIOS name in Windows
Realm = ABC. com # domain name, consistent with the previous krb5.conf
Server String = Proxy Server # server description, irrelevant
Encrypt passwords = Yes
Security = ads # use ad for verification
WINS Server = 192.168.0.10 # address of the WINS server. According to the online materials, this parameter does not seem to be necessary, but I have been confused until this parameter is added. Don't understand ......
Password Server = dc1.abc.com dc2.abc.com # domain controller, separated by Spaces
Log Level = 3
Log File =/var/log/samba/* M. Log
Max log size = 50
DNS proxy = No
Ldap ssl = No
Idmap uid = 10000-20000
Idmap gid = 10000-20000
Winbind use default domain = yes # enable winbind to achieve transparent User Authentication

3. After Samba is configured, enable nmbd, smbd, and winbindd in sequence.
Bsd1 # cd/usr/local/samba/sbin
Bsd1 #./nmbd-d
Bsd1 #./winbindd-d
Bsd1 #./smbd-d

4. Add the local machine to the Windows Domain
Bsd1 #/usr/local/samba/bin/NET ads join-u Administrator
Enter the administrator password. If it succeeds, you can find the bsd1 computer account in the Windows domain management tool.
On the local machine, run the following command to confirm:
Bsd1 #/usr/local/samba/bin/wbinfo-T
Checking the trust secret via rpc cils succeeded (this statement indicates that the domain is successfully added)
Bsd1 #/usr/local/samba/bin/wbinfo-U (this command can list user accounts in the domain)

3. install and configure squid
I used version 2.7stable6 to download the source code package from the squid official website.

1. decompress the source code package and compile and install the package.
Squid-2.7.STABLE6.tar.gz bsd1 # tar zxvf
Bsd1 # cd squid-2.7.STABLE6.tar.gz
Bsd1 #./configure -- enable-auth = Basic, NTLM (compile the basic and NTLM verification modules)
Bsd1 # Make
Bsd1 # make install

2. Install squid. The Initialization Configuration of squid is omitted. (For details, refer to the squid Chinese authoritative guide translated by Peng Yong Hua. I have followed this Guide, except for the winbind Verification Section. Squid no longer includes the winbind module from version 2.6, but directly uses the winbind of Samba ).
The squid configuration file is/usr/local/squid/etc/squid. conf. Authentication-related configuration parameters are as follows (for other parameters, see squid Chinese authority guide):

# Specify NTLM verification module for Samba
Auth_param NTLM Program/usr/local/samba/bin/ntlm_auth -- helper-Protocol = squid-2.5-ntlmssp
Auth_param NTLM children 20
Auth_param BASIC Program/usr/local/samba/bin/ntlm_auth -- helper-Protocol = squid-2.5-Basic
Auth_param basic children 10
Auth_param basic realm Squid proxy-caching Web Server
Auth_param basic credentialsttl 2 hours
ACL all SRC 0/0
ACL ntlmusers proxy_auth required # user authentication required
Http_access allow all ntlmusers # Authenticated Users are allowed to access
Http_access deny all # Access prohibited from others

3. Start squid
Bsd1 #/usr/local/squid/sbin/squid
Okay. You can try surfing the Internet on the client. However, it fails.
A dialog box asking you to enter your username and password will pop up when you access the internet.

Check the log and find that/usr/local/samba/var/Locks/winbindd_privileged has no access permission. The original owner of this directory is root and the default permission is 750, squid runs with the nobody permission.
Try to change the permission to 777. It's strange. Change to 750, change the directory owner to nobody, and restart squid. Haha, this is a success!
I am so happy that I cannot start winbindd again after I restart the server. It turns out that I still have the/usr/local/samba/var/Locks/winbindd_privileged permission problem. Winbindd is started with the root permission, while the owner of winbindd_privileged has changed to nobody. Set the owner and the group to root and nobody respectively:
# Chown-r root: Nobody/usr/local/samba/var/Locks/winbindd_privileged

Restart the service.