Proxy Server for windows Domain Identity Authentication in linux

The agent server used by the company is based on the Linux system, and sometimes there are more or less problems. It directly affects users' normal Internet access. I have been busy with other projects and have no time to adjust and optimize them. Not long ago, the Linux system suddenly failed to enter the GNU/GNOME desktop environment, prompting me to make up my mind to re-plan and deploy a proxy server system that meets the needs of the current application environment.

Before deployment, let's take a look at the system environment of the existing proxy server: This proxy server uses Redhat Linux 8. x is the Squid 2.3 proxy server in NCSAR Authentication mode. Because the system is outdated and lacks stability, there are also the following shortcomings:

1. due to Squid configuration problems, the system cannot automatically release the disk space occupied by Squid Cache and logs, and Squid service is often suspended due to insufficient disk space, manually delete cache and logs to release disk space.

2. it is necessary to set different passwords for different users on the proxy server. In the past, there were not many employees in the company, but it was not very troublesome. However, with the development of the company, the number of employees increased significantly, it increases the workload of IT administrators and makes it difficult to ensure consistency with Windows domain accounts;

3. The client cannot use the account authentication mode integrated with AD. users need to repeatedly enter the user name and password each time they access the Internet, greatly reducing the user experience.

4. Different user permissions are not set for different Internet access groups;

5. The failure to monitor users' access to the Internet directly affects the normal business behavior of the company's network.

Therefore, IT is not difficult to find that the proxy server needs to be maintained frequently, which affects the efficiency of IT staff. Starting from the current situation of the company, we can re-plan the functions of the proxy server as follows:

1. the disk space occupied by Squid can be automatically reclaimed under one condition;

2. Verify the user's identity using the user account information on the AD server to avoid repeated user information setting;

3. Three user permissions are provided:

1. Deny all permissions;

2. Internet access is allowed, but video, audio, and executable files cannot be downloaded;

3. unlimited access to any Internet resources;

4. IT administrators can view users' Internet access logs and monitor users' Internet access behavior;

Now that our goal is very clear, we will not talk nonsense. Let's start with the theme!

I. system environment:

1. CentOS 5.0 Linux

2. squid-2.6.STABLE6-4.el5

3. samba-3.0.23c-2.el5.2.0.2

4. sarg-2.2.1-1.el5.rf

5. winbind

6. krb5

II. modify the configuration file of the kerberos 5 Authentication Service (Unless otherwise stated, all work in root user mode ):

Run the following command:

[Root @ proxy ~] # Vim/etc/krb5.conf

The modified krb5.conf is:

1 [logging]

2 default = FILE:/var/log/krb5libs. log

3 kdc = FILE:/var/log/krb5kdc. log

4 admin_server = FILE:/var/log/kadmind. log

5

6 [libdefaults]

7 default_realm = COMPANY. COM # default domain name (Realm)

8 dns_lookup_realm = false

9 dns_lookup_kdc = false

10 ticket_lifetime = 24 h

11 forwardable = yes

12

13 [realms]

14 COMPANY. COM = {

15 kdc = adsrv.company.com: 88 # specify the name or IP address of the KDC server.

16 admin_server = adsrv.company.com: 749 # specify the name or IP address of the management server.

17 default_domain = company.com # default domain name (domain)

18}

19

20 [domain_realm] # correspondence between domain and realm

21 .company.com = COMPANY. COM

22 company.com = COMPANY. COM

23

24 [kdc]

25 profile =/var/kerberos/krb5kdc/kdc. conf

26

27 [appdefaults]

28 pam = {

29 debug = false

30 ticket_lifetime = 36000

31 renew_lifetime = 36000

32 forwardable = true

33 krb4_convert = false

34}

 

 

III. Use Kinit tools to test whether the krb5 settings are correct

Run the following command:

[Root @ proxy ~] # Kinit administrator@COMPANY.COM

Prompt to enter the user administrator password. Enter the correct password and return the following information:

Kinit: NOTICE: ticket renewable lifetime is 1 week

Or directly return to the command line status. Other prompts can be error messages. Make sure that your Linux system and Windows Domain Server have the same time zone settings. Otherwise, the system cannot communicate with the Active Directory Server normally.

IV. Samba Configuration

Because the configuration of the samba server is not involved here, the whole configuration content is not put here, but only the part required to set up the Squid Proxy Server is shown as follows:

1 [global]

2 idmap gid = 10000-20000

3 idmap uid = 10000-20000

4 password server = 192.168.21.21

5 workgroup = COMPANY # NetBios Name of the domain

6os level = 20

7 encrypt passwords = yes

8 security = ads # Set to Windows Active Directory security-ADS Verification

9 realm = COMPANY. COM # verify the domain realm, which must be capitalized

10 winbind use default domain = yes

The items listed above need to be modified according to the actual situation.

V. Use the ntlm verification program to test whether the previous configuration is correct.

Restart the Linux server if necessary before testing. However, you can try to restart samba and winbind services only to achieve the same purpose (haha ...... Luck !) :

[Root @ proxy ~] # Service winbind restart

[Root @ proxy ~] # Service smb restart

After restarting the system or the above services, run the following command:

[Root @ proxy ~] # Ntlm_auth-username = administrator

Prompt to enter the user administrator password. Enter the correct password and return the following information:

NT_STATUS_ OK: NT_STATUS_ OK (0x0)

If the returned result is as described above, it means that the domain account administrator has passed the AD authentication. You can start the next step.

VI. Configure NSS (Name Service Switch)

NSS stands for Name Service Switch. For more information about the functions, see http://en.wikipedia.org/wiki/name_service_switch. the configuration is as follows:

Passwd: files winbind

Group: files winbind

Other parts do not need to be changed.

VII. Squid Configuration

Since it is a proxy server, Squid settings are of course the top priority. The following describes Squid settings based on different implementation functions:

1. configure a third-party authentication program for Squid

1 # enable squid-2.5-ntlmssp as a secondary protocol for ntlm Authentication Mode

2auth_param ntlm program/usr/bin/ntlm_auth -- helper-protocol = squid-2.5-ntlmssp

3auth_param ntlm children 5

4auth_param ntlm keep_alive on

5

6 # Enable squid-2.5-basic as the auxiliary protocol for basic Authentication Mode

7auth_param basic program/usr/bin/ntlm_auth -- helper-protocol = squid-2.5-basic

8auth_param basic children 5

9auth_param basic realm Squid proxy-caching web server

10auth_param basic credentialsttl 2 hours

11auth_param basic casesensitive off

12

13 # The following parameters are important to ensure that Squid can implement different access control policies for different user groups.

14external_acl_type NT_global_group % LOGIN/usr/lib/squid/wbinfo_group.pl

 

 

2. Configure the user access control list

1 # map internet global groups in AD to ProxyUsers

2acl ProxyUsers external NT_global_group internet

3 # map the nolimitedinternet global group in AD to noLimited

4acl NoLimited external NT_global_group nolimitedinternet

5 # This statement ensures that all users must be authenticated

6acl AuthenticatedUsers proxy_auth REQUIRED

7 # define file types that cannot be downloaded

8acl InvalidFiles urlpath_regex-I \. mp3 $ \. avi $ \. rmvb $ \. mpg $ \. rm $ \. wma $ \. wmv $ \. scr $ \. exe $ \. ocx $ \. dll $ \. com $

9 # define the domain name and IP address that cannot be accessed, which are stored in the files "denyDomain. list" and "denyIP. list"

10acl denyDomain dstdomain "/etc/squid/denyDomain. list"

11acl denyIP dst "/etc/squid/denyIP. list"

12

13 # Allow NoLimited users to access any Internet Resources

14http_access allow AuthenticatedUsers NoLimited

15http_access deny denyDomain

16http_access deny denyIP

17http_access deny InvalidFiles

18

19 # prohibit users from accessing the domain name and IP address in denyDomain. list and denyIP. list, and prohibit downloading the file type specified by InvalidFiles

20http_access allow AuthenticatedUsers ProxyUsers

21acl all src 0.0.0.0/0.0.0.0

22acl manager proto cache_object

23acl localhost src 127.0.0.1/255.255.255.255

24acl to_localhost dst 127.0.0.0/8

25acl SSL_ports port 443

26acl Safe_ports port 80 # http

27acl Safe_ports port 21 # ftp

28acl Safe_ports port 443 # https

29acl Safe_ports port 70 # gopher

30acl Safe_ports port 210 # wais

31acl Safe_ports port 1025-65535 # unregistered ports

32acl Safe_ports port 280 # http-mgmt

33acl Safe_ports port 488 # gss-http

34acl Safe_ports port 591 # filemaker

35acl Safe_ports port 777 # multiling http

36acl CONNECT method CONNECT

Note the positions of the two statements in this configuration. The first statement is "http_access allow AuthenticatedUsers NoLimited" and the second "http_access allow AuthenticatedUsers ProxyUsers". The two statements apply permissions to user groups, but the difference is location, in the ACL Configuration Statement of Squid, different permissions are determined in order. You must pay more attention to it.

VIII. Change winbind pipeline Permissions

You must not forget this. Without the winbind pipeline's sufficient permissions, the system cannot verify the user's identity. The command is as follows:

[Root @ proxy ~] # Chown-R root: squid/var/cache/samba/winbindd_privileged

[Root @ proxy ~] # Chmod-R 750/var/cache/samba/winbindd_privileged

IX. Restart all related services

The command is as follows:

[Root @ proxy ~] # Service smb restart

[Root @ proxy ~] # Service winbind restart

[Root @ proxy ~] # Service squid restart

So far, we have successfully completed the configuration of the squid proxy server. Next, we also need to give IT administrators the ability to view and monitor users' Internet access behavior.

Installation and configuration of X. Sarg

For simplicity, download the binary installation package and run the following command to obtain the binary installation package:

[Root @ proxy ~] # Http://dag.wieers.com/rpm/packages/sarg/sarg-2.2.1-1.el5.rf.i386.rpm

The installation is easier. If you have nothing to say, execute the following command:

[Root @ proxy ~] # Rpm-Uvh sarg-2.2.1-1.el5.rf.i386.rpm

After the installation, restart the Apache server.