Zprovoznění; Windows update přes Squid
acl localnet src 10.10.0.0/24
#========== Access list pro Windows Update ==========
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
range_offset_limit -1 maximum_object_size 200 MB quick_abort_min -1
# Add one of these lines for each of the websites you want to cache. refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims # DONT MODIFY THESE LINES refresh_pattern \^ftp: 1440 20% 10080 refresh_pattern \^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Squid v AD
Nejdřív NTP
nastavíme do samba.conf
#GLOBAL PARAMETERS [global] workgroup = DINTERNAL realm = DOMAIN.INTERNAL preferred master = no server string = squid proxy server security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind trusted domains only = Yes winbind cache time = 3600 winbind separator = + template shell = /bin/bash
do hosts přidat řádek s adresou serveru s plným i zkráceným jménem
spustit připojení k doméně a konfiguraci přihlašování do ad
authconfig \ --update \ --kickstart \ --enablewinbind \ --enablewinbindauth \ --smbsecurity=ads \ --smbworkgroup=$ADSWorkgroup \ --smbrealm=$ADSDomain \ --smbservers=$ADSServer \ --winbindjoin=$AdminUser \ --winbindtemplatehomedir=/home/%U \ --winbindtemplateshell=/bin/bash \ --enablewinbindusedefaultdomain \ --enablelocauthorize
konfigurace squidu
### NTLM auth_param ntlm \ program /usr/bin/ntlm_auth \ --diagnostics \ --helper-protocol=squid-2.5-ntlmssp \ --domain=DINTERNAL auth_param ntlm children 10 auth_param ntlm keep_alive off ### LDAP auth_param basic \ program /usr/lib/squid/squid_ldap_auth \ -R -b "dc=DOMAIN,dc=INTERNAL" \ -D user@domain.internal \ -W /etc/squid/ldappass.txt \ -f sAMAccountName=%s \ -h dc.domain.internal auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### access list acl auth proxy_auth REQUIRED ### vynutime overeni klientu http_access deny !auth http_access allow auth
spusteni sluzeb
/sbin/chkconfig winbind on /sbin/service winbind start /sbin/chkconfig smb on /sbin/service smb start