freebsd_squid_ad
cd /usr/ports/net/samba416/
make config
make BATCH=yes install clean
cp /etc/hosts /etc/hosts.old
mcedit /etc/hosts
----
127.0.0.1 localhost
----
cp /etc/resolv.conf /etc/resolv.conf.old
mcedit /etc/resolv.conf
----
search newdomain.local
nameserver 192.168.150.2
nameserver 192.168.150.109
----
cp /etc/krb5.conf /etc/krb5.conf.old
mcedit /etc/krb5.conf
----
[libdefaults]
default_realm = NEWDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
----
cp /etc/nsswitch.conf /etc/nsswitch.conf.old
mcedit /etc/nsswitch.conf
----
...
#group: compat
group: files winbind
...
#passwd: compat
passwd: files winbind
...
----
cp /usr/share/zoneinfo/Asia/Almaty /etc/localtime
ntpdate 192.168.150.2
cp /usr/local/etc/smb4.conf /usr/local/etc/smb4.conf.old
mcedit /usr/local/etc/smb4.conf
----
[global]
workgroup = NEWDOMAIN
security = ADS
realm = NEWDOMAIN.LOCAL
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba4/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config NEWDOMAIN:backend = rid
idmap config NEWDOMAIN:range = 10000-999999
template shell=/bin/csh
template homedir = /home/%U
local master = no
domain master = no
preferred master = no
----
net ads join -U Administrator
net ads changetrustpw
mcedit /etc/rc.conf
----
...
samba_server_enable="YES"
samba_enable="YES"
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
samba_server_config="/usr/local/etc/smb4.conf"
----
/usr/local/etc/rc.d/samba_server start
cd /usr/ports/www/squid
make config
make BATCH=yes install clean
mcedit /etc/rc.conf
----
...
samba_server_enable="YES"
samba_enable="YES"
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
samba_server_config="/usr/local/etc/smb4.conf"
squid_enable="YES"
----
"check groups in the domain NEWDOMAIN":
getent group samba_admins
getent group smb
cp /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.old
mcedit /usr/local/etc/squid/squid.conf
----
external_acl_type GROUP1 %LOGIN /usr/local/libexec/squid/ext_wbinfo_group_acl
external_acl_type GROUP2 %LOGIN /usr/local/libexec/squid/ext_wbinfo_group_acl
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
acl localnet src 192.168.150.0/24
acl localnet src 192.168.151.0/24
#acl AuthorizedUsers proxy_auth REQUIRED
acl AD1 external GROUP1 samba_admins@NEWDOMAIN.LOCAL
acl AD2 external GROUP2 smb@NEWDOMAIN.LOCAL
#http_access allow all AuthorizedUsers
http_access allow AD1
http_access allow AD2
http_access allow localnet
http_access deny all
http_port 3128
cache_effective_user squid
cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache
visible_hostname free_squid
----
squid -f /usr/local/etc/squid/squid.conf -k parse
squid -z
chown -R root:squid /var/db/samba4/winbindd_privileged
/usr/local/etc/rc.d/squid start
squid -k reconfigure
tail -f /var/log/squid/access.log
cd /usr/ports/www/sarg/
make config
make BATCH=yes install clean
cp /usr/local/etc/sarg/sarg.conf /usr/local/etc/sarg/sarg.conf.old
mcedit /usr/local/etc/sarg/sarg.conf
----
...
#output_dir /var/www/html/squid-reports
output_dir /data/sarg
...
----
mkdir -p /data/sarg
cd /data/sarg/
"If need":
chown -R root:smb /data/sarg/
chmod 770 /data/sarg/
mcedit /usr/local/etc/smb4.conf
----
...
[sarg]
path = /data/sarg
read only = yes
----
/usr/local/etc/rc.d/samba_server restart
sarg
sarg -d 01/02/2024-02/02/2024
sarg -d day-1
"change it to your data" (Squid log rotation: squid -k rotate):
crontab -e
----
*/5 * * * * /usr/sbin/ntpdate 192.168.150.2 192.168.150.109
59 23 * * * /usr/local/bin/net ads changetrustpw
00 00 01 * * /usr/local/sbin/squid -k rotate
----
freebsd_squid_ad.txt · Last modified: 2024/09/28 15:24 by admin