I always thought that I'm messed up... but it looks like there are more people that are far more messed up than me...
http://www.facebook.com/people/Haklam-Aikiliz/614011748
http://www.facebook.com/people/Marcin-Misztal/774651903
Thursday, July 16, 2009
Tuesday, July 14, 2009
Boo Hoo ISA proxy Crap.. Squid can talk with AD
This Post should serve as a reference, for someone who wants to build a proxy server using squid and is tied up with (bureaucracy, politics, Layer's 8 and 9, etc.) to play nice with Active Directory.
NOTE to Readers: I made this in order to serve as a guide, If it doesn't work you can ask out real questions through (squid-users at squid-cache.org). who knows i might see it there. anyways let the fun begin.
OS: OpenBSD 4.5 (Stable on HS20 IBM Blade Center)
Grab a Fresh Copy of the following:
- Squid (squid-3.0.STABLE16.tar.gz) - my favorite Proxy Cache
- Samba (samba-3.3.5.tar.gz) - used to make windows AD like our *nix box
- Berkeley DB (db-4.7.25.tar.gz) - needed by SquidGuard
- SquidGuard (squidGuard-1.4.tar.gz) - my favorite keyword filter
I have the following output on my pkg_info:
autoconf-2.59p3 automatically configure source code on many Un*x platforms
autoconf-2.61p3 automatically configure source code on many Un*x platforms
bison-2.3 GNU parser generator
bzip2-1.0.5 block-sorting file compressor, unencumbered
cyrus-sasl-2.1.22p4 RFC 2222 SASL (Simple Authentication and Security Layer)
gettext-0.17p0 GNU gettext
gmake-3.81p0 GNU make
gnutls-2.6.2 GNU Transport Layer Security library
help2man-1.29p0 GNU help2man
libgcrypt-1.4.3p0 crypto library based on code used in GnuPG
libgpg-error-1.5 error codes for GnuPG related software
libiconv-1.12 character set conversion library
libltdl-1.5.26 GNU libtool system independent dlopen wrapper
libtasn1-1.5 Abstract Syntax Notation One structure parser library
libtool-1.5.26p0 generic shared library support script
libutf8-0.8p0 provides UTF-8 locale support
lzo-1.08p1 portable speedy lossless data compression library
m4-1.4.11 GNU m4
metaauto-0.9 wrapper for gnu auto*
mutt-1.5.18-sasl-sidebar-compressed tty-based e-mail client, development version
ntp-4.2.4pl6p0 Network Time Protocol reference implementation
openldap-client-2.3.43 Open source LDAP software (client)
popt-1.7p0 getopt(3)-like library with a number of enhancements
qdbm-1.8.77 high performance embedded database library
rsync-3.0.5 mirroring/synchronization over low bandwidth links
tcl-8.5.6 Tool Command Language
wget-1.11.4 retrieve files from the web via HTTP, HTTPS and FTP
-- i have a lot of packages because some of them i build using the ports tree. --
create user = _squid (options: nologin, daemon, no password)
1.) Build Squid
./configure --prefix=/var/squid \
--enable-xmalloc-statistics \
--enable-icmp \
--enable-delay-pools \
--enable-useragent-log \
--enable-referer-log \
--enable-kill-parent-hack \
--enable-ssl \
--enable-pf-transparent \
--enable-ntlm-fail-open \
--enable-cpu-profiling \
--enable-auth="ntlm,basic" \
--enable-external-acl-helpers="wbinfo_group"
--with-default-user=_squid
gmake
sudo gmake install
sudo chown -R _squid:_squid /var/squid
gmake clean
2.) Build Samba
tar zxvf samba-3.3.5.tar.gz
cd samba-3.3.5
source/./configure --prefix=/var/samba3 --with-winbind --with-ads (you can remove the --with-ads option but me I just like it! =P )
make && sudo make install
gmake clean
ldconfig -m /var/samba3/lib <-- you may need to add this on /etc/rc.local
3.) Build Berkeley DB
cd build_unix
../dist/configure --prefix=/usr/local/BerkeleyDB
make
sudo make install
make clean
ldconfig -m /usr/local/BerkeleyDB/lib
4.) Build squidGuard (the newest version of BerkeleyDB completely works with squidGuard 1.4 (tested)
./configure --prefix=/var/squidGuard --with-db=/usr/local/BerkeleyDB --with-squiduser=_squid
gmake
sudo gmake install
gmake clean
5.) Add the Configs
smb.conf
[global]
netbios name = KRAKEN
workgroup = DOMAIN
realm = DOMAIN.LAN
server string = Proxy Server
encrypt passwords = yes
security = ADS
password server =
log level = 3
log file /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = no
dns proxy = no
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
cups options = raw
krb5.conf
[libdefaults]
default_realm = DOMAIN.LAN
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMA
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
CORP.PLC = {
default_domain= DOMAIN.LAN
kdc =
admin_server =
}
[domain_realm]
.DOMAIN.LAN = DOMAIN.LAN
[kdc]
profile =/etc/kerberosV/kdc.conf
[kadmin]
# This is the trickiest part of a Kerberos installation. See the
# heimdal infopage for more information about encryption types.
# For a k5 only realm, this will be fine
# default_keys = v5
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmin.log
kadmind = FILE:/var/heimdal/kadmind.log
kadm5.acl
*/KRAKEN@DOMAIN.LAN *
kdc.conf
[kdcdefaults]
acl_file = /etc/kerberosV/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /etc/kerberosV/krb5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = DOMAIN.LAN
[realms]
DOMAIN.LAN = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
krb5.keytab <-- we'll create this later.
As soon as all the configs are in, it's time to fire up samba (start smbd,nmbd,winbindd).
sudo kinit KRAKEN@DOMAIN.LAN
sudo klist
sudo /var/samba3/bin/net ads join -U KRAKEN -d1
If there are no errors then tap yourself in the back.. you just added your squid box into AD.
--- AD Certificate part --- This is through windows okei?
ktpass -out c:\temp\KRAKEN.keytab -princ host/KRAKEN.PROXY@DOMAIN.LAN -mapuser myhost -pType KRB5_NT_PRINCIPAL +rndpass
this key will let your squid box logged into AD automagically. As soon as it generates the key. copy it to your squid box and run the following command:
ktutil copy /path/to/KRAKEN.keytab /etc/kerberosV/krb5.keytab
delete the KRAKEN.keytab file from AD.
for the rest of the squid.conf config please refer to
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory (you don't think that I'll just spoon fed you guys the entire time huh, bub? besides RTFM your using squid. not ISA crap.
after the config change run:
sudo /var/squid/sbin/squid -z (this will generate the cache file folders)
sudo /var/squid/sbin/squid (squid goes daemon mode. put this into /etc/rc.local)
NOTE to Readers: I made this in order to serve as a guide, If it doesn't work you can ask out real questions through (squid-users at squid-cache.org). who knows i might see it there. anyways let the fun begin.
OS: OpenBSD 4.5 (Stable on HS20 IBM Blade Center)
Grab a Fresh Copy of the following:
- Squid (squid-3.0.STABLE16.tar.gz) - my favorite Proxy Cache
- Samba (samba-3.3.5.tar.gz) - used to make windows AD like our *nix box
- Berkeley DB (db-4.7.25.tar.gz) - needed by SquidGuard
- SquidGuard (squidGuard-1.4.tar.gz) - my favorite keyword filter
I have the following output on my pkg_info:
autoconf-2.59p3 automatically configure source code on many Un*x platforms
autoconf-2.61p3 automatically configure source code on many Un*x platforms
bison-2.3 GNU parser generator
bzip2-1.0.5 block-sorting file compressor, unencumbered
cyrus-sasl-2.1.22p4 RFC 2222 SASL (Simple Authentication and Security Layer)
gettext-0.17p0 GNU gettext
gmake-3.81p0 GNU make
gnutls-2.6.2 GNU Transport Layer Security library
help2man-1.29p0 GNU help2man
libgcrypt-1.4.3p0 crypto library based on code used in GnuPG
libgpg-error-1.5 error codes for GnuPG related software
libiconv-1.12 character set conversion library
libltdl-1.5.26 GNU libtool system independent dlopen wrapper
libtasn1-1.5 Abstract Syntax Notation One structure parser library
libtool-1.5.26p0 generic shared library support script
libutf8-0.8p0 provides UTF-8 locale support
lzo-1.08p1 portable speedy lossless data compression library
m4-1.4.11 GNU m4
metaauto-0.9 wrapper for gnu auto*
mutt-1.5.18-sasl-sidebar-compressed tty-based e-mail client, development version
ntp-4.2.4pl6p0 Network Time Protocol reference implementation
openldap-client-2.3.43 Open source LDAP software (client)
popt-1.7p0 getopt(3)-like library with a number of enhancements
qdbm-1.8.77 high performance embedded database library
rsync-3.0.5 mirroring/synchronization over low bandwidth links
tcl-8.5.6 Tool Command Language
wget-1.11.4 retrieve files from the web via HTTP, HTTPS and FTP
-- i have a lot of packages because some of them i build using the ports tree. --
create user = _squid (options: nologin, daemon, no password)
1.) Build Squid
./configure --prefix=/var/squid \
--enable-xmalloc-statistics \
--enable-icmp \
--enable-delay-pools \
--enable-useragent-log \
--enable-referer-log \
--enable-kill-parent-hack \
--enable-ssl \
--enable-pf-transparent \
--enable-ntlm-fail-open \
--enable-cpu-profiling \
--enable-auth="ntlm,basic" \
--enable-external-acl-helpers="wbinfo_group"
--with-default-user=_squid
gmake
sudo gmake install
sudo chown -R _squid:_squid /var/squid
gmake clean
2.) Build Samba
tar zxvf samba-3.3.5.tar.gz
cd samba-3.3.5
source/./configure --prefix=/var/samba3 --with-winbind --with-ads (you can remove the --with-ads option but me I just like it! =P )
make && sudo make install
gmake clean
ldconfig -m /var/samba3/lib <-- you may need to add this on /etc/rc.local
3.) Build Berkeley DB
cd build_unix
../dist/configure --prefix=/usr/local/BerkeleyDB
make
sudo make install
make clean
ldconfig -m /usr/local/BerkeleyDB/lib
4.) Build squidGuard (the newest version of BerkeleyDB completely works with squidGuard 1.4 (tested)
./configure --prefix=/var/squidGuard --with-db=/usr/local/BerkeleyDB --with-squiduser=_squid
gmake
sudo gmake install
gmake clean
5.) Add the Configs
smb.conf
[global]
netbios name = KRAKEN
workgroup = DOMAIN
realm = DOMAIN.LAN
server string = Proxy Server
encrypt passwords = yes
security = ADS
password server =
log level = 3
log file /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = no
dns proxy = no
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
cups options = raw
krb5.conf
[libdefaults]
default_realm = DOMAIN.LAN
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMA
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
CORP.PLC = {
default_domain= DOMAIN.LAN
kdc =
admin_server =
}
[domain_realm]
.DOMAIN.LAN = DOMAIN.LAN
[kdc]
profile =/etc/kerberosV/kdc.conf
[kadmin]
# This is the trickiest part of a Kerberos installation. See the
# heimdal infopage for more information about encryption types.
# For a k5 only realm, this will be fine
# default_keys = v5
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmin.log
kadmind = FILE:/var/heimdal/kadmind.log
kadm5.acl
*/KRAKEN@DOMAIN.LAN *
kdc.conf
[kdcdefaults]
acl_file = /etc/kerberosV/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /etc/kerberosV/krb5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = DOMAIN.LAN
[realms]
DOMAIN.LAN = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
krb5.keytab <-- we'll create this later.
As soon as all the configs are in, it's time to fire up samba (start smbd,nmbd,winbindd).
sudo kinit KRAKEN@DOMAIN.LAN
sudo klist
sudo /var/samba3/bin/net ads join -U KRAKEN -d1
If there are no errors then tap yourself in the back.. you just added your squid box into AD.
--- AD Certificate part --- This is through windows okei?
ktpass -out c:\temp\KRAKEN.keytab -princ host/KRAKEN.PROXY@DOMAIN.LAN -mapuser myhost -pType KRB5_NT_PRINCIPAL +rndpass
this key will let your squid box logged into AD automagically. As soon as it generates the key. copy it to your squid box and run the following command:
ktutil copy /path/to/KRAKEN.keytab /etc/kerberosV/krb5.keytab
delete the KRAKEN.keytab file from AD.
for the rest of the squid.conf config please refer to
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory (you don't think that I'll just spoon fed you guys the entire time huh, bub? besides RTFM your using squid. not ISA crap.
after the config change run:
sudo /var/squid/sbin/squid -z (this will generate the cache file folders)
sudo /var/squid/sbin/squid (squid goes daemon mode. put this into /etc/rc.local)
Subscribe to:
Posts (Atom)
Posts
