Software used:

Windows Server 2008 SP2 32-bit
CentOS 6.5 (Final)  i386
samba 3.5.10-114
samba-winbind 3.5.10-114
krb5-server 1.9-22
krb5-workstation 1.9-22
ntp 4.2.4p8-2

Ok, let’s start.
After initial installation of CentOS 6.5 minimal we got pure Linux box with no additional packages. So we have to install some:

yum install samba samba-winbind krb5-server krb5-workstation ntp

e have to have samba with winbind plugin in order to “talk” with AD like Windows machines do. Winbind plugin allows querying AD structure like “is thit user member of that group?”. The Kerberos server and workstation packages are needed to establish secure, trusted connection with AD. The last package “ntp” is used for time sync between our squid server and DC (domain controller).
After successful installation let’s begin with configuration.

The main configuration file of samba is smb.conf, which is located by default in /etc/samba directory. I wrote it from scratch.

realm = TEST.LOCALDOMAIN
security = ADS
idmap uid = 10000-20000
idmap gid = 10000-20000
workgroup = TEST
password server = test-srv.test.localdomain

winbind separator = \ The first parameter “realm” defines Kerberos realm which will be used. “security=ADS” parameter tell us that samba will authenticate users with DC (domain controller) and that our machine will be member of AD domain. “idmap” parameter is a range which will be used for allocating UNIX IDs for AD users and groups. “workgroup” is a NETBIOS name of our AD domain. “password server” is a GLOBAL CATALOG in AD. “winbind separator” is a sign which divides username with domain name like DOMAIN\User.

Next file is /etc/ntp.conf. By default we got 3 server options there:
– 0.centos.pool.ntp.org
– 1.centos.pool.ntp.org
– 2.centos.pool.ntp.org
We have to change those 3 entries with only one: test-srv.test.localdomain. After that:
Code:ntpdate test-srv.test.localdomain

 

/etc/init.d/ntpd start Next step is to configure Kerberos service. File

vi   /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.LOCALDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TEST.LOCALDOMAIN = {
kdc = test-srv.test.localdomain:88
admin_server = test-srv.test.localdomain:749 }
[domain_realm]
.test.localdomain = TEST.LOCALDOMAIN
test.localdomain = TEST.LOCALDOMAIN

 

“logging” section defines type of logging: syslog or file. “libdefaults” section is used when describing default Kerberos realm, if we want to set AD servers static or rely on DNS. “realms” section determine our Kerberos realm. “domain_realm” maps AD domains to Kerberos realms.

The file /var/kerberos/krb5kdc/kdc.conf:
Code:[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TEST.LOCALDOMAIN= {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
} “

 

kdcdefaults” section sets ports where Kerberos is running. Here we got default TCP port 88. “realms” describes Kerberos realms for access control.

Now we have to initialize Kerberos and join our Linux box to Active Directory:

Code:kinit administrator@TEST.LOCALDOMAIN
kdb5_util create -s
net ads join -U “administrator@TEST.LOCALDOMAIN” -S test-srv.test.localdomain
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/krb5kdc start

 

“kdb5_util create -s”command creates Kerberos database along with “stash” file (admin_keytab in kdc.conf). “Stash” file is responsible for allowing access to database for Kerberos daemons. “net ads join” joins Linux box to AD.

wbinfo -u
wbinfo -g

 

should give us info aout users and groups in Active Directory.

Lesson 2. Configure squid to use samba and winbind when authorizing access to web pages.

So it’s time to configure Squid to use our connection to AD.

First install Squid:

yum install squid

Next, edit /etc/squid/squid.conf file:

auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

visible_hostname squid.test.localhost

acl testproxy proxy_auth -i TEST\administrator
acl site_example_com dstdomain .example.com
http_access allow testproxy site_example_com

http_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
All the auth_param directoves are important for squid to work with AD. external_acl_type defines nt_group, Active Directory group if we want to use AD groups in our ACLs.

Defining AD group ACL:

acl accounting external nt_group TEST\accounting

Definig AD user ACL:

acl administrator proxy_auth -i TEST\administrator

Then you can use these ACLs entries in defining accessess like:

http_access allow testproxy site_example_com

Last step is to set proper permissions:

chmod 750 /var/lib/samba/winbindd_privileged/
chown root:squid /var/lib/samba/winbindd_privilege

if you have any query please  email at: kaleemqureshi79@gmail.com

Recommended For You.

https://www.youtube.com/watch?v=ojZT1sKCGQs  

63 Replies to “High Availability Kubernetes on Bare Metal [A] – Muhammad Kamran Azeem & Henrik Høegh, Praqma”

  1. I really adore your website and find most of your blog posts to be exactly what I’m interested in. Do you offer guest writers to write content for you? I would not mind creating a post about how to watch free movies online or even on most of the topics you write about on this site. Cool site!

  2. I want to express my admiration for your kindness supporting visitors who really want assistance with this concern. Your very own commitment to getting the message up and down ended up being really beneficial and have usually enabled women just like me to reach their desired goals. This insightful guideline indicates a whole lot a person like me and a whole lot more to my peers. Thanks a lot; from each one of us.

  3. What i do not realize is actually how you’re not really much more well-liked than you might be right now. You’re very intelligent. You realize thus considerably relating to this subject, produced me personally consider it from a lot of varied angles. Its like women and men aren’t fascinated unless it is one thing to accomplish with Lady gaga! Your own stuffs excellent. Always maintain it up!

  4. I do not even understand how I stopped up right here, but I thought this publish used
    to be great. I don’t know who you’re however
    definitely you are going to a well-known blogger if you happen to are not already.
    Cheers!

  5. It’s a shame you don’t have a donate button! I’d certainly donate to this brilliant blog!
    I suppose for now i’ll settle for book-marking and adding your RSS feed to
    my Google account. I look forward to brand new updates and will share this blog with my Facebook group.
    Talk soon!

  6. That image is associated with a certain historic period of piracy
    that has caught hold of the imagination. There is even a greater probability that these have
    been formerly exhibited inside the malls and however remain unknown to the public.
    However, some of these proxy sites are a bit inconsistent and
    often cause your net speed to go down a bit.

  7. I came over here via another web address on dental bridge cost and imagined I might as well consider this. I like what I see therefore now I”m following you. Getting excited about checking out your website again.

  8. I am seriously enjoying the theme of your internet site. Do you ever run into any kind of web browser compatibility troubles? A few of the website readers have lamented about my porcelain veneers website not operating effectively in Internet Explorer but seems very good in Chrome. Are there any tips to assist repair that problem?

  9. Hello, you are definitely correct. I frequently read through your site content carefully. I’m likewise focused on emergency dentist, maybe you might discuss that at times. I’ll be back soon!

  10. I know this if off topic but I’m looking into starting
    my own weblog and was curious what all is needed to get set up?
    I’m assuming having a blog like yours would cost a pretty penny?

    I’m not very web savvy so I’m not 100% certain. Any suggestions or advice would be
    greatly appreciated. Kudos

  11. It’s really a nice and useful piece of info.

    I am satisfied that you just shared this useful info with us.
    Please keep us up to date like this. Thank you for sharing.

  12. Great beat ! I wish to apprentice whilst you amend your site, how could
    i subscribe for a weblog web site? The account aided me a
    applicable deal. I were tiny bit acquainted of this your broadcast provided brilliant transparent concept

  13. Very nice post. I just stumbled upon your weblog and wished to say that I’ve truly enjoyed browsing your blog posts. In any case I will be subscribing to your feed and I hope you write again very soon!

  14. Hi there! Someone in my Myspace group shared this site with us so I came to give it a look. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers! Superb blog and excellent design and style.

  15. Hello, Neat post. There is an issue together with your web site in internet explorer, may
    test this? IE still is the market chief and a large portion of people will leave out your excellent writing because of this
    problem.

  16. I’m truly loving the theme/design of your information site. Do you ever come across any kind of internet browser interface issues? A lot of my website audience have complained regarding my how to watch movies online website not operating properly in Explorer but seems excellent in Safari. Do you have any kind of solutions to aid fix this matter?

  17. I’m definitely loving the theme/design of your site. Do you come across any kind of browser interface troubles? Some of the website visitors have complained regarding my free movie website not working the right way in Explorer yet seems awesome in Safari. Do you have any recommendations to aid repair the issue?

  18. Simply wish to say your article is as astonishing.
    The clarity to your submit is just cool and i could
    suppose you’re an expert on this subject. Well along
    with your permission let me to grab your RSS feed to stay up to date
    with impending post. Thanks one million and please carry on the enjoyable work.

  19. Oh my goodness! Incredible article dude! Thank you,
    However I am going through problems with your RSS. I don’t know why I cannot join it.

    Is there anyone else having the same RSS problems?
    Anyone who knows the answer can you kindly respond?
    Thanks!!

  20. I don’t even know how I ended up here, but I thought this post was great.
    I don’t know who you are but definitely you are going to a famous blogger
    if you are not already 😉 Cheers!

  21. Hi there, I’m really thrilled I discovered your blog page, I basically encountered you by mistake, while I was browsing on Bing for mesothelioma law cases. Anyways I’m here now and would really enjoy to say kudos for a tremendous write-up and the all-round fun site (I also enjoy the design), I don’t have time to go through it entirely at the moment but I have book-marked it and moreover added in your RSS feed, so whenever I have sufficient time I will be back to look over more. Make sure you do keep up the amazing work.

  22. I came over here from some other page on the subject of free mesothelioma advice and considered I should look at this. I enjoy the things I see thus I am just following you. Getting excited about checking out the blog again.

  23. Fantastic website you have here but I was curious
    about if you knew of any forums that cover the same topics talked about here?
    I’d really love to be a part of community where I can get opinions from other experienced individuals that share the same interest.
    If you have any suggestions, please let me know.
    Cheers!

  24. Hey! Quick question that’s totally off topic.
    Do you know how to make your site mobile
    friendly? My blog looks weird when viewing from my iphone4.
    I’m trying to find a theme or plugin that might be
    able to resolve this problem. If you have any recommendations,
    please share. Thanks!

  25. I’ve tried restarting my telephone, uninstalling/reinstalling Battle Royale, setting my Play Retailer to my
    private e-mail, and changing my google play sign-in on CRoy to my non-public gmail, so it’s undoubtedly set onto it.
    Although it doesn’t have quite a bit in the sense of should – see monuments, should you dig deeper you’ll
    really discover some hidden (and not so hidden) gems away from
    the everyday touristy spots.

  26. Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. I think that you can do with some pics to drive the message home a bit, but instead of that, this is fantastic blog. A great read. I’ll certainly be back.

  27. I don’t know whether it’s just me or if perhaps everyone else experiencing issues with your blog.
    It looks like some of the text in your content are running off the screen. Can someone
    else please provide feedback and let me know if this is
    happening to them too? This might be a problem with my internet
    browser because I’ve had this happen previously. Thank you

  28. I like the helpful information you provide in your articles. I will bookmark your blog and check again here frequently. I’m quite certain I will learn many new stuff right here! Best of luck for the next!

  29. Hello! I know this is kinda off topic but I was wondering if you knew where I could find a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having problems finding one? Thanks a lot!

  30. This design is incredible! You certainly know how to keep a reader entertained. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job. I really loved what you had to say, and more than that, how you presented it. Too cool!

  31. Hey there, I think your site might be having browser compatibility issues. When I look at your blog site in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, amazing blog!

  32. Hello, Neat post. There’s an issue along with your website in web explorer, might test this… IE nonetheless is the market chief and a good part of people will leave out your excellent writing because of this problem.

  33. I was curious if you ever considered changing the page layout of your site?
    Its very well written; I love what youve got to say. But maybe you could a little more
    in the way of content so people could connect with
    it better. Youve got an awful lot of text for only having
    one or 2 images. Maybe you could space it out better?

  34. I’m extremely pleased to discover this great site. I want to to thank
    you for your time for this wonderful read!! I definitely savored every
    part of it and I have you bookmarked to check out new stuff in your website.

  35. You can certainly see your expertise in the article you write.
    The sector hopes for even more passionate writers such as you who aren’t afraid to mention how they believe.
    All the time go after your heart.

  36. Hello There. I found your weblog using msn. That is a
    really smartly written article. I’ll make sure to bookmark it and come back
    to read extra of your useful info. Thanks for the post.
    I’ll certainly comeback.

  37. You’re so interesting! I don’t suppose I have read through a single thing like that
    before. So nice to find somebody with a few unique thoughts on this subject.
    Really.. thanks for starting this up. This website is one
    thing that is needed on the internet, someone with
    some originality!

  38. I’d like to thank you for the efforts you’ve put in penning
    this website. I am hoping to see the same high-grade content by you later on as well.
    In fact, your creative writing abilities has motivated me to get my own site now 😉

  39. What i do not realize is in reality how you are
    not actually a lot more smartly-liked than you might be now.
    You’re so intelligent. You realize thus significantly on the subject of this topic,
    produced me in my view believe it from so many various angles.
    Its like men and women are not involved unless it is one thing to
    accomplish with Woman gaga! Your individual stuffs outstanding.
    Always deal with it up!

  40. I’m amazed, I must say. Seldom do I come across a blog that’s equally educative and entertaining,
    and let me tell you, you have hit the nail on the head.
    The issue is an issue that too few folks are speaking intelligently about.
    I am very happy I came across this in my hunt for something concerning this.

  41. I don’t even know how I ended up here, but I thought this post
    was great. I don’t know who you are but certainly you are going to a famous blogger
    if you aren’t already 😉 Cheers!

  42. I have been surfing on-line more than three hours these days, but I never found any attention-grabbing article like yours.
    It is lovely price sufficient for me. In my opinion, if all site owners
    and bloggers made just right content material as you did,
    the internet can be much more helpful than ever before.

Leave a Reply

Your email address will not be published. Required fields are marked *