In linux, the proxy server for windows Domain Identity Authentication-Linux Enterprise Application-Linux server application information is described below. The agent server used by the company is based on the Linux system, and sometimes there are more or less problems. It directly affects users' normal Internet access. I have been busy with other projects and have no time to adjust and optimize them. Not long ago, the Linux system suddenly failed to enter the GNU/GNOME desktop environment, prompting me to make up my mind to re-plan and deploy a proxy server system that meets the needs of the current application environment.
Before deployment, let's take a look at the system environment of the existing proxy server: This proxy server uses Redhat Linux 8. x is the Squid 2.3 proxy server in NCSAR Authentication mode. Because the system is outdated and lacks stability, there are also the following shortcomings:
1. due to Squid configuration problems, the system cannot automatically release the disk space occupied by Squid Cache and logs, and Squid service is often suspended due to insufficient disk space, manually delete cache and logs to release disk space.
2. it is necessary to set different passwords for different users on the proxy server. In the past, there were not many employees in the company, but it was not very troublesome. However, with the development of the company, the number of employees increased significantly, it increases the workload of IT administrators and makes it difficult to ensure consistency with Windows domain accounts;
3. The client cannot use the account authentication mode integrated with AD. users need to repeatedly enter the user name and password each time they access the Internet, greatly reducing the user experience.
4. Different user permissions are not set for different Internet access groups;
5. The failure to monitor users' access to the Internet directly affects the normal business behavior of the company's network.
Therefore, IT is not difficult to find that the proxy server needs to be maintained frequently, which affects the efficiency of IT staff. Starting from the current situation of the company, we can re-plan the functions of the proxy server as follows:
1. the disk space occupied by Squid can be automatically reclaimed under one condition;
2. Verify the user's identity using the user account information on the AD server to avoid repeated user information setting;
3. Three user permissions are provided:
1. Deny all permissions;
2. Internet access is allowed, but video, audio, and executable files cannot be downloaded;
3. unlimited access to any Internet resources;
4. IT administrators can view users' Internet access logs and monitor users' Internet access behavior;
Now that our goal is very clear, we will not talk nonsense. Let's start with the theme!
I. system environment:
1. CentOS 5.0 Linux
2. squid-2.6.STABLE6-4.el5
3. samba-3.0.23c-2.el5.2.0.2
4. sarg-2.2.1-1.el5.rf
5. winbind
6. krb5
II. modify the configuration file of the kerberos 5 Authentication Service (Unless otherwise stated, all work in root user mode ):
Run the following command:
[Root @ proxy ~] # Vim/etc/krb5.conf
The modified krb5.conf is:
1 [logging]
2 default = FILE:/var/log/krb5libs. log
3 kdc = FILE:/var/log/krb5kdc. log
4 admin_server = FILE:/var/log/kadmind. log
5
6 [libdefaults]
7 default_realm = COMPANY. COM # default domain name (Realm)
8 dns_lookup_realm = false
9 dns_lookup_kdc = false
10 ticket_lifetime = 24 h
11 forwardable = yes
12
13 [realms]
14 COMPANY. COM = {
15 kdc = adsrv.company.com: 88 # specify the name or IP address of the KDC server.
16 admin_server = adsrv.company.com: 749 # specify the name or IP address of the management server.
17 default_domain = company.com # default domain name (domain)
18}
19
20 [domain_realm] # correspondence between domain and realm
21 .company.com = COMPANY. COM
22 company.com = COMPANY. COM
23
24 [kdc]
25 profile =/var/kerberos/krb5kdc/kdc. conf
26
27 [appdefaults]
28 pam = {
29 debug = false
30 ticket_lifetime = 36000
31 renew_lifetime = 36000
32 forwardable = true
33 krb4_convert = false
34}
III. Use Kinit tools to test whether the krb5 settings are correct
Prompt to enter the user administrator password. Enter the correct password and return the following information:
Kinit: NOTICE: ticket renewable lifetime is 1 week
Or directly return to the command line status. Other prompts can be error messages. Make sure that your Linux system and Windows Domain Server have the same time zone settings. Otherwise, the system cannot communicate with the Active Directory Server normally.
IV. Samba Configuration
Because the configuration of the samba server is not involved here, the whole configuration content is not put here, but only the part required to set up the Squid Proxy Server is shown as follows:
1 [global]
2 idmap gid = 10000-20000
3 idmap uid = 10000-20000
4 password server = 192.168.21.21
5 workgroup = COMPANY # NetBios Name of the domain
6 OS level = 20
7 encrypt passwords = yes
8 security = ads # Set to Windows Active Directory security-ADS Verification
9 realm = COMPANY. COM # verify the domain realm, which must be capitalized
10 winbind use default domain = yes
The items listed above need to be modified according to the actual situation.
V. Use the ntlm verification program to test whether the previous configuration is correct.
Restart the Linux server if necessary before testing. However, you can try to restart samba and winbind services only to achieve the same purpose (haha ...... Luck !) :
[Root @ proxy ~] # Service winbind restart
[Root @ proxy ~] # Service smb restart
After restarting the system or the above services, run the following command:
Prompt to enter the user administrator password. Enter the correct password and return the following information:
NT_STATUS_ OK: NT_STATUS_ OK (0x0)
If the returned result is as described above, it means that the domain account administrator has passed the AD authentication. You can start the next step.
VI. Configure NSS (Name Service Switch)
NSS stands for Name Service Switch. For more information about the functions, see http://en.wikipedia.org/wiki/name_service_switch. the configuration is as follows:
Passwd: files winbind
Group: files winbind
Other parts do not need to be changed.
VII. Squid Configuration
Since it is a proxy server, Squid settings are of course the top priority. The following describes Squid settings based on different implementation functions:
1. configure a third-party authentication program for Squid
1 # enable squid-2.5-ntlmssp as a secondary protocol for ntlm Authentication Mode
13 # Allow NoLimited users to access any Internet Resources
14 http_access allow AuthenticatedUsers NoLimited
15 http_access deny denyDomain
16 http_access deny denyIP
17 http_access deny InvalidFiles
18
19 # prohibit users from accessing the domain name and IP address in denyDomain. list and denyIP. list, and prohibit downloading the file type specified by InvalidFiles
31 acl Safe_ports port 1025-65535 # unregistered ports
32 acl Safe_ports port 280 # http-mgmt
33 acl Safe_ports port 488 # gss-http
34 acl Safe_ports port 591 # filemaker
35 acl Safe_ports port 777 # multiling http
36 acl CONNECT method CONNECT
Note the positions of the two statements in this configuration. The first statement is "http_access allow AuthenticatedUsers NoLimited" and the second "http_access allow AuthenticatedUsers ProxyUsers". The two statements apply permissions to user groups, but the difference is location, in the ACL Configuration Statement of Squid, different permissions are determined in order. You must pay more attention to it.
VIII. Change winbind pipeline Permissions
You must not forget this. Without the winbind pipeline's sufficient permissions, the system cannot verify the user's identity. The command is as follows:
[Root @ proxy ~] # Chown? R root: squid/var/cache/samba/winbindd_privileged
[Root @ proxy ~] # Chmod? R 750/var/cache/samba/winbindd_privileged
IX. Restart all related services
The command is as follows:
[Root @ proxy ~] # Service smb restart
[Root @ proxy ~] # Service winbind restart
[Root @ proxy ~] # Service squid restart
So far, we have successfully completed the configuration of the squid proxy server. Next, we also need to give IT administrators the ability to view and monitor users' Internet access behavior.
Installation and configuration of X. Sarg
For simplicity, download the binary installation package and run the following command to obtain the binary installation package:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
