Both Samba and squid can use the same domain (AD) verification.

It's actually quite simple. red Hat Chinese site also said, as long as you change/etc/krb5.conf and/etc/samba/smb. conf files, and then add them using net ads join.

At the beginning, there were always errors when adding
Reference:Root @ CSR-SERVER-TEST ~] # Net ads join-uadministrator
Administrator's password:
Winscard_clnt.c: 320: scardestablishcontextth () cannot open public shared file:/var/run/pcscd. Pub
Winscard_clnt.c: 320: scardestablishcontextth () cannot open public shared file:/var/run/pcscd. Pub
Using Short domain name -- hyprt.com
Failed to set serviceprincipalnames. Please ensure that
The DNS domain of this server matches the ad domain,
Or Rejoin with using domain admin credentials. winscard_clnt.c: 320: scardestablishcontextth () cannot open public shared file:/var/run/pcscd. Pub
Disabled Account for 'csr-server-test' in realm' hyprt. com'
[Root @ CSR-SERVER-TEST ~] #
In smb. conf
NetBIOS name = CSR-SERVER-TEST // This is wrong
NetBIOS name = csrservertest // you can use hostname to test it.

Reference:[Root @ csrserver ~] # Hostname-F
Csrservertest
[Root @ CSR-SERVER-TEST ~] # Hostname-F
Hostname: Unknown host
[Root @ csrserver ~] #

The above is mainly because the NetBIOS name in Samba is incorrect and is not written according to the FQDN standard. You can change it.

Reference:[Root @ csrserver etc] # smbclient-l // domain-K
OS = [Windows Server 2003 R2 3790 Service Pack 2] Server = [Windows Server 2003 R2 5.2]

Sharename type comment
--------------------
Manager Disk
QC Disk
Hanseyang Disk
C $ disk sharing
HR Disk
PPC Disk
Engineer Disk
Xlzeng Disk
CTP Disk
PE Disk
Est Disk
IE Disk
Meiz Disk
Human Disk
Glsu Disk
PMC Disk
IPC $ IPC terminal IPC
PUR Disk
Yorky Disk
Pre-press Disk
Aprilh Disk
ADMIN $ disk producer Management
Shipping Disk
D $ disk sharing
Cust PA Disk
Customer Disk
Finance Disk
Michelle Ma Disk
Frankzhao Disk
Sysvol disk Login server sharing
Finhy Disk
Netlogon disk Login server sharing
Public_data Disk
Product Disk
Wangw Disk
OS = [Windows Server 2003 R2 3790 Service Pack 2] Server = [Windows Server 2003 R2 5.2]

Server comment
----------------

Workgroup master
----------------
[Root @ csrserver etc] #

Http://bbs.chinaunix.net/viewthread.php? Tid = 968601 problem reference

[Who used this post by fengying for editing at,]

Lovegqin replied to: 10:48:22

More details.

Feng Ying, who used it, replied to: 11:20:20

This article is a work Note for setting the Samba server to join the win2003 Active Directory.

1. Samba server software requirements
Krb5-workstation-1.2.7-19
Pam_krb5-1.70-1
Krb5-devel-1.2.7-19
Krb5-libs-1.2.7-19
Samba-3.0.5-2

2. Configure Kerberos (key)
The following configuration parameters let the Kerberos process know how to process the Active Directory Server and make appropriate modifications to/etc/krb5.conf. Note that Kerberos is case sensitive during modification.
This is my krb5.conf configuration file:
[Logging]
Default = file:/var/log/krb5libs. Log
KDC = file:/var/log/krb5kdc. Log
Admin_server = file:/var/log/kadmind. Log

[Libdefaults]
Ticket_lifetime = 24000
Default_realm = mydomain. com
Dns_lookup_realm = false
Dns_lookup_kdc = false

[Realms]
Mydomain. com = {
KDC = 192.168.2.248
# Admin_server = OS .example.com: 749
Default_domain = mydomain. com
}

[Domain_realm]
.Mydomain.com = mydomain. com
Mydomain.com = mydomain. com

[KDC]
Profile =/var/Kerberos/krb5kdc/KDC. conf

[Appdefaults]
Pam = {
DEBUG = false
Ticket_lifetime = 36000
Renew_lifetime = 36000
Forwardable = true
Krb4_convert = false
}

3. Connect to the 2003 Server

Kinit [email] filesrv@MYDOMAIN.COM [/Email]

The kinit command of Kerberos will test the communication between servers. The domain name mydomain. com is the domain name of your Active Directory, which must be capitalized; otherwise, an error message will be received:
Kinit (V5): cannot find KDC for requested realm while getting initial credentials.

If the communication is normal, you will be prompted to enter the password. If the password is correct, the system will return to the bash prompt. if the error is reported:
Kinit (V5): Preauthentication failed while getting initial credentials.

4. Configure samba
Modify the following lines in/etc/samba/smb. conf:

Workgroup = mydomain
NetBIOS name = filesrv
Server String = filesrv

Realm = mydomain. com // Domain Name of the Active Directory Server
Security = ads // use the Active Directory authentication method
Encrypt passwords = Yes // use an encrypted password

Restart the samba service.
Service SMB restart

After Samba and Kerberos are configured, you need to create a computer account in the Windows 2000 Active Directory. If you need to complete it on Linux, run:
/Usr/Kerberos/bin/kinit [email] filesrv@MYDOMAIN.COM [/Email]
After entering the password, create an account:

Add the server to the Active Directory:
/Usr/local/samba/bin/NET ads join

Go to the Windows 2003 Server and check the above work: Open the Active Directory user and computer, view the entries in it, if successful, you can see your Linux server. (See the figure below)

Then on the Linux machine, you can use the smbclient command to connect to the Windows shared folder without entering a password (because Kerberos is used ).
/Usr/local/samba/bin/smbclient // w2k/C $-K

This command may produce some error information, but it doesn't matter whether it can work.

[This post was edited by fengying, who used it at, September 26,]

Feng Ying, who used it, replied to: 11:25:37

Next we can do proxy verification with the domain...

Lovegqin replied to: 11:34:56

I hope LZ will make persistent efforts !!!

Feng Ying, who used it, replied to: 15:54:06

Compile squid
. /Configure -- prefix =/usr/local/squid -- sysconfdir =/etc/squid -- enable-async-IO = 32 -- enable-auth = "Basic, NTLM "-- enable-external-ACL-helpers =" wbinfo_group "-- enable-kill-parent-hack -- enable-poll -- enable-removal-policies =" heap, LRU "-- disable-ICMP -- disable-delay-pools -- disable-useragent-log-Disable-ARP-ACL -- disable-Ident-lookups -- disable-Internal-DNS -- enable-err -Language = "simplify_chinese" -- enable-storeio = aufs, ufs, diskd, Coss, null

Make; make install

VI/etc/squid. conf
Find cache_dir, http_port, http_access, cache_1_tive_user & cache_1_tive _ Group
Remove the # Before cache_dir, http_port, and http_reply_access allow all.
Change # cache_effective_user nobody to cache_effective_user squid.
# Cd/usr/local/squid/var
# Mkdir Cache
# Useradd-S/sbin/nologin-c "only squid" squid and squid user
# Chown squid: Squid Cache)
# Chown squid: Squid logs (same as above)

Start squid:
#/Usr/local/squid/sbin/squid-z
[Root @ misdell1 squid-2.6.STABLE11] #/usr/local/squid/sbin/squid-z
Fatal: cocould not determine fully qualified hostname. Please set 'visible _ hostname'
This error is caused by the absence of a host name in Squid. conf. Use hostname-F to obtain the Host Name and enter it.
#/Usr/local/squid/sbin/squid-ncd1 (followed by the number 1 !)
If there is no problem, it will show: "ready to serve requests ".
#/Usr/local/squid/sbin/squid

If this error occurs when you start squid (fatal: Error: Unknown policy LRU. /Add the parameter (-- enable-removal-policies = "heap, LRU") to configure ")

Change http_access deny all in Squid. conf to http_access allow all.
Restart squid to see if the proxy can access the Internet. If yes, set the domain verification. When setting Domain Verification, change http_access allow all to http_access deny all.

Then, add "domain_internet_users" in Squid. conf to access the Internet.
Auth_param NTLM Program/usr/bin/ntlm_auth -- helper-Protocol = squid-2.5-ntlmssp
Auth_param NTLM children 5
Auth_param NTLM keep_alive on
Auth_param BASIC Program/usr/bin/ntlm_auth -- helper-Protocol = squid-2.5-Basic
Auth_param basic children 5
Auth_param basic realm Squid proxy-caching Web Server
Auth_param basic credentialsttl 2 hours
Auth_param basic casesensitive off

External_acl_type nt_global_group % login/usr/local/squid/libexec/wbinfo_group.pl
ACL proxyusers external nt_global_group domain_internet_users
ACL authenticatedusers proxy_auth required
Http_access allow authenticatedusers proxyusers
Http_access deny all

Chgrp squid/var/Cache/samba/winbindd_privileged
Chmod-r 750/var/Cache/samba/winbindd_privileged
If you use a domain account to log on to your computer, you will not be prompted to enter the user name and password for authentication when you browse the Web page. If a non-domain user logs on to the computer and accesses the website through a proxy, the User Authentication Window appears asking the user to enter the user name and password for authentication.
In squid. conf, you can also set domain users that are allowed to access and domain users that are not allowed to access. For Windows Domain Users, some verifications are transparent. You do not need to manually enter the user name and password for your convenience.

In addition, squid mails QQ are quite easy to add rules to squid. conf.
Denyqq_ip.list
ACL badurls dstdomain-I .qq.com .tencent.com
Http_access deny badurls
ACL qq_ip DST "/etc/squid/denyqq_ip.list"
Http_access deny qq_ip