authentification ntlm transparente squid samba

fredouille · 4 oct. 2010

Bonjour à tous,

Depuis quelques temps j'essayes de mettre en place une authentification transparente des utilisateurs du serveur proxy (squid+squidguard) que j'ai en place sur mon petit lan.

afin de bien expliquer ma situation, voici mes fichiers de conf :
mon fichier /etc/samba/smb.conf:

[global]
    workgroup = FREDOUILLE
    realm = FREDOUILLE.ORG
    server string = Samba Server Version %v
#    netbios name = portFB2
#    log files split per-machine:
###    log file = /var/log/samba/log.%m
#    maximum size of 50KB per log file, then rotate:
    max log size = 50
    interfaces = eth0, wlan0, lo
    bind interfaces only = yes
    passdb backend = tdbsam
    pam password change = yes
    passwd program = /usr/sbin/passwd %u
    passwd chat = New*Password* %n\n*Re-enter*new*password* %n\n Password*changed*
    encrypt passwords = yes
    update encrypted = no

    security = user
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/log/%m
    smb ports = 139
    name resolve order = wins bcast hosts
    time server = yes
    printing = CUPS
    printcap name = CUPS

    show add printer wizard = no
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'

    add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
    shutdown script = /var/lib/samba/scripts/shutdown.sh
    abort shutdown script = /sbin/shutdown -c
    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = Z:
    logon home = \\%L\%U
#    domain master = yes
    domain logons = yes
    preferred master = yes
    wins support = yes
    utmp = yes
    map acl inherit = yes

    veto files = /*.eml/*.nws/*.{*}/
    veto oplock files = /*.doc/*.xls/*.mdb/

[printers]
    comment = SMB Pproxy authentification transparenterint Spool
    path = /var/spool/samba
    printable = yes
    guest ok = yes
    use client driver = yes
    browseable = no
    default devmode = yes

[homes]
 comment = Home Directories
    path = /donnees/srvr/homes/%u
    valid users = %S
    read only = no
    browseable = no

[netlogon]
 comment = Network Logon Service
    path = /donnees/srvr/homes/netlogon
    guest ok = yes
    locking = no
    browseable = no

[profiles]
    comment = Profile Share
    path = /donnees/srvr/homes/profiles
    read only = no
    profile acls = yes
    browseable = no

[repusers]
 comment = Repertoire Users
    path = /donnees/srvr/partage
    read only = no

mon fichier /etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FREDOUILLE.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

 BEROK.ORG = {
  kdc = portFB2.fredouille.org
  admin_server = portFB2.fredouille.org
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 fredouille.org = FREDOUILLE.ORG
 .fredouille.org = FREDOUILLE.ORG

et mon fichier /etc/squid/squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hours

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

acl localnet src 192.168.0.0/24    # RFC1918 possible internal network
acl password proxy_auth REQUIRED

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow ntlm
http_access deny all

visible_hostname portFB2.fredouille.org
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

Egalement pour faire ceci je suis ce tuto

Je précise aussi que j'arrive bien à joindre mes clients windows au domaine et mes users ouvrenet sans difficulté leur session.

le souci maintenant :

[fredouille@portFB2 ~]$ su -c "net ads join -U Administrator"
Mot de passe : 
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

J'ai pris le temps de regarder d'autres tutos sur le Net, mais tous arrive à ce genre de commande et j'ai eu beau les essayer elles se sont toutes soldées par la même erreur.

J'arrive donc maintenant à crier à l'aide en espérant que vous voudrez bien m'aider sur ce sujet qui dure depuis bien longtemps.

D'avance merci à tous