Daniel de Oliveira

LINUX runs the Google servers that manage billions of searches each day. It also runs the TiVo digital video recorder, the Motorola Razr cellphone and countless other electronic devices.

Autenticating SQUID in Active Directory

Posted September 3, 2007
Filed under: General Linux |

Comments(4)

1. Requirements

Basic knowledge in Active Directory, Kerberos, Samba, Linux e Squid. And all packages related. The Microsoft Windows Server 2003® must be acessible by proxy server and *must* have WINS Server working.
The linux server (any distro) must have installed this packages:

Kerberos5 (clients, libs, services, servers, etc)
SQUID (v2.6)
Ntp
Samba (with winbind)

2. Introduction

We have to types of authentication:
The NTLM Authentication is automatic, the proxy receives the connection requirement and authenticate using AD to make a login.
The BASIC Authentication is the trivial authentication with user input.
The best point of NTLM Authentication is the fact of the proxy will be transparent to the user, even if the browser is closed.

3. Preparations

The servers:

Domain Controller	Proxy
Microsoft Windows Server 2003 Enterprise	Any Linux
atenas.lab.wtf.br	oslo.lab.wtf.br
10.0.0.4	10.0.0.6

First of all, edit /etc/hosts in your linux box:

10.0.0.60 oslo.lab.wtf.br oslo
10.0.0.4 atenas.lab.wtf.br atenas

Now, edit the /etc/krb5.conf:

[libdefaults]

default_realm = LAB.WTF.BR
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

v4_instance_resolve = false

clockskew = 300

v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}

fcc-mit-ticketflags = true

[realms]
LAB.WTF.BR = {
kdc = atenas.lab.wtf.br
default_domain = lab.wtf.br
admin_server = atenas.lab.wtf.br
}

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm]
.lab.wtf.br = LAB.WTF.BR
lab.wtf.br = LAB.WTF.BR

Now we need to sync the clocks. First, lest sync the linux server:

# ntpdate pool.ntp.org

And them, the windows:

C:\> net time /setsntp:pool.ntp.org
C:\> net stop w32time & net start w32time

Now edit /etc/nsswitch.conf, and modify this lines…

passwd: compat
group: compat

…to this…

passwd: compat winbind
group: compat winbind

4. Samba/Winbind

This is the /etc/samba/smb.conf used:

[global]
workgroup = PMP
netbios name = OSLO
server string = OSLO (Samba Server)
load printers = no
log file = /var/log/samba/log.%m
max log size = 500
realm = LAB.WTF.BR
security = domain
auth methods = winbind
winbind separator = /
encrypt passwords = yes
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 10.0.0.4
dns proxy = no
ldap ssl = no

After configured, restart SAMBA and WINBIND services.
Lets get the proxy server inside the AD:

# net ads join –U Administrator –S lab.wtf.br

After enter the password, you’ll see something like this:

# net ads join –U Administrator –S lab.wtf.br
Administrator’s password:
Using short domain name – PMP
Joined ‘OSLO’ to realm ‘LAB.WTF.BR’

You can verify if you’re connected using this commands:

wbinfo –t	Verify connections
wbinfo –u	List all users in AD
wbinfo –g	List all groups in AD

5. Preparing SQUID
Modify /etc/squid/squid.conf like this:

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm use_ntlm_negotiate off
auth_param ntlm children 60
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 5 minutes
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param basic use_ntlm_negotiate off
auth_param basic children 60
auth_param basic realm Type your USER/PASS
auth_param basic max_challenge_reuses 0
auth_param basic max_challenge_lifetime 5 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache/squid

6. Tests

Go to some box using windows, configure the browser to use the new proxy and try to access some web page. After this, look in /var/log/squid/access.log and see if the user are logging.
If you have some problems, try using your proxy with default configurations.

Microsoft announces “less-annoying” Vista OS early next year

Posted August 30, 2007
Filed under: Humor, Microsoft |

Comments(0)

Acording to The Register and Windows Vista Team Blog Site, Microsoft will release SP1 for Windows Vista with “a lot of improvements in security and performance.

<ironic mode>Maybe the SP1 will format your actual vista installation, migrate all data and install a new and clean realease of a linux distribution called “Linux Vista”, to obtain better performance. IMHO, is the only way to get more perfomance using this load of crap.</ironic mode>

AIX Diagnostics

Posted August 22, 2007
Filed under: AIX |

Comments(1)

I have a personal diagnostic list to exactly make a QA (Quality Assurance) or to do a detailed diagnostic. Its very useful if you have a lot of machines to see. Here we go (its nice if you can make a script and use it, I have one, of course)

Reboot checklist

Posted August 22, 2007
Filed under: AIX |

Comments(0)

It’s good to check some things after reboot an AIX system, lets see:

1) Verify what disks are on rootvg.
2) Rewrite the bootdisks of rootvg;
3) Verify the boot order;
4) Setting up the verified boot order;

1) Verify what disks are on rootvg:

# lspv | grep rootvg
hdisk0 00012998b87370f6 rootvg active
hdisk1 00012998180a047e rootvg active

2) Rewrite the bootdisks of rootvg:

# bosboot -ad hdisk0
bosboot: Boot image is 20726 512 byte blocks.
# bosboot -ad hdisk1
bosboot: Boot image is 20726 512 byte blocks.

3) Verify the boot order:

# bootlist -m normal -o
hdisk0 blv=hd5

4) Setting up the verified boot order:

Look where the dump partition are located:

# lslv -l lg_dumplv lg_dumplv:N/A PV COPIES IN BAND DISTRIBUTION hdisk1 016:000:000 0% 016:000:000:000:000

In this case, is better the hdisk1 be the first disk on boot order (btw, the two disks will boot at the same time, but only one will be the first identificated):