J'ai reçu cela par mail, je n'ai pas testé, mais le ferai en rentrant de vac*****.
Si cela peut intéresser du monde en attendant...
====================================================================
De: admin@safesquid.com
Date: 22.06.2005 12:04
Objet: SafeSquid - Authentication - Windows Domain Controller
The following is an email sent to you by an administrator of "SafeSquid™ Dedicated Support Center". If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We had been recieving so many queries on PAM.
Specially about authenticating the users of SafeSquid Proxy from a Windows Domain Controller.
These queries were so natural and relevant since all the versions of SafeSquid have PAM compatibility.
Besides, user authentication is so important in large networks as a key defence against Trojans, worms.
User authentication is also very important to analyse the overall Internet access pattern of the various users.
Unfortunately, the SafeSquid documentation at http://www.safesquid.com/home also did not contain any tutorial on achieving this useful technique.
So this mail seeks to expose the hidden nugget, to those who are still struggling to get this done.
The basic premise of the solution is based on SafeSquid's intrinsic capability for PAM-based authentication.
Of the four items of PAM, SafeSquid uses only two - authentication & account.
The administrator's are required to just install the required PAM module.
In this example since we want to authenticate from a Windows Domain Controller, you must install pam_smb_auth.so library
Of course this library must be installed in /lib/security.
In case your linux distro requires you to install the PAM modules in some other folder then you must install it in the same folder.
Just ensure that the standard pam_permit.so library is also present.
So, here's a step-by-step guide to authenticating the users of SafeSquid Proxy from a Windows Domain Controller, by using pam_smb_auth.so.
In the following example the enterprise network domain is "OUR_DOMAIN".
The Primary Domain Controller is "OUR_PDC".
The Secondary Domain Controller is "OUR_BDC"
In the following step replace "OUR_DOMAIN", "OUR_PDC" & "OUR_BDC"
with the actual NetBIOS names of your Windows Domain, Primary Domain Controller & Secondary (Back-up) Domain Controller.
Step #1
Define the identity of your Windows Domain Controller.
create /etc/pam_smb.conf
Type in the following three entries as follows -
OUR_DOMAIN
OUR_PDC
OUR_BDC
Save this file.
In case your enterprise does not have a Backup or Secondary Domain Controller then just replace the "OurBDC" entry with "OurPDC".
So the OurPDC entry is just repeated.
The /etc/pam_smb.conf would now look like this -
OUR_DOMAIN
OUR_PDC
OUR_PDC
Step #2
Now just verify that the Linux server (on which you have installed SafeSquid) can resolve and reach the the Domain Controllers, by pinging them.
ping OUR_PDC
or
ping OUR_PDC
Now just edit the hosts file (/etc/hosts) on the linux server so that it can quickly resolve the IP address of "OUR_PDC" & "OUR_BDC".
I am presuming here that the FQDN of "OUR_PDC" is our_pdc.our_domain.com & it's I.P. address is 10.10.10.11
and the FQDN of "OUR_BDC" is our_bdc.our_domain.com & it's I.P. address is 10.10.10.12
In the /etc/hosts file now just add the following lines -
10.10.10.11 OUR_PDC our_pdc.our_domain.com
10.10.10.12 OUR_BDC our_bdc.our_domain.com
Step #3
Now comes the tricky part, but the most important part.
Configuring how SafeSquid uses PAM !!
Of the four items of PAM challenge response process, SafeSquid uses only two - authentication & account.
So if you haven't renamed the SafeSquid program name create /etc/pam.d/safesquid
(If one already exists, move it to somewhere else)
Type in the following entries -
#%PAM-1.0
auth required pam_smb_auth.so debug nolocal
account required pam_permit.so
The "debug" is optional above, just to display the PAM related activity on your console or syslog, when you are trying this out for the first time.
You can cut it out in case you are satisfied that PAM works for you.
Now you can enable PAM authentication in the Access Restrictions Section in all or any of the entries, as per your requirement.
We successfully managed to replicate the above solution on a couple of RedHat, Mandrake & SuSe distros.
We hope this solution works for you, and please do share your experience about it on the SafeSquid Forum.
Just in case you need more help, feel free to request it at the SafeSquid Forum.
This application note could also open the flood-gates, with people trying out other modules and mechanisms of PAM like pam_mysql, pam_ldap, etc.
So just turn-on PAM and enjoy authentication from Windows Domain Controller.
====================================================================
ouf!
Enfin fini le copier/coller, ligne par ligne c'est vraiment épuisant...
J'espère ne pas faire doublon avec qqn, mais comme c'est du récent...
