Murilo Moreira de Oliveira wrote:
> Hello. Follow bellow the steps I've used to get NTLM authentication working.
>
> 1.# yum -y install authconfig krb5-workstation samba-common
>
> 2.[root_at_proxyweb ~]# authconfig --enableshadow --enablemd5
> --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
> --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
> --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
> --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
> --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
> --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
> --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins
> --disablecache --enablelocauthorize --updateall
>
> 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
> This is the user that proxy will use to validate users credentials.
>
> 4.# chown root:squid /var/cache/samba/winbindd_privileged
>
Noooooooo! Ouch.
This is a giant permissions hack to evade the strict security leash of
cache_effective_group.
The correct way to do this is to add the Squid proxy user to the system
group which wbinfo normally lets access /var/cache/samba/winbindd_privileged
... and ensure cache_effective_group is MISSING from squid.conf.
The result is that Squid acts like a proper low-privileged user account
on the system. Same as any other user account with multiple groups.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4Received on Wed Jun 16 2010 - 12:43:36 MDT
This archive was generated by hypermail 2.2.0 : Sun Jun 20 2010 - 12:00:03 MDT