Proxy+Safeguard+AD

http://community.spiceworks.com/how_to/1958-installing-squid-and-squidguard-with-transparent-active-directory-authentification

squid.conf



http_port 3128

acl urlskok     dstdomain       "/etc/squid3/urlskok.acl" # lista stron do odblokowania. Forma to .google.com
http_access allow urlskok


# none
#HAVP
#cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-Netdb-exchange default
#F-secure Geatekeeper
cache_peer 127.0.0.1 parent 9080 0 no-query no-digest no-Netdb-exchange default

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache


access_log /var/log/squid/access.log squid

auth_param ntlm children 25
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --domain=AD
auth_param basic children 25
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8443 # sipXecs console
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl siec_Firma src 10.0.0.0/255.0.0.0
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl gg dst 217.17.41.80-217.17.41.95 217.17.45.0/24 217.17.46.0/24 91.197.13.0/24 91.197.14.0/24 85.232.233.0-85.232.233.63
acl tlen dst 193.17.41.0-193.17.41.63 212.126.20.0-212.126.20.32
acl deny_files urlpath_regex "/etc/squid/files.acl"
acl komunikatory dstdomain download.skype.com gadu-gadu.pl icq.com mystatus.skype.com ui.skype.com tlen.pl
acl webRadioReq1 req_mime_type -i ^video/x-ms-asf$
acl webRadioReq2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioReq3 req_mime_type -i ^application/x-mms-framed$
acl webRadioRep1 rep_mime_type -i ^video/x-ms-asf$
acl webRadioRep2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioRep3 rep_mime_type -i ^application/x-mms-framed$
acl WMP browser Windows-Media-Player/*
acl NTLMUsers proxy_auth REQUIRED

http_access deny CONNECT numeric_IPs all
http_access deny deny_files
http_access deny gg
http_access deny tlen
http_access deny komunikatory
http_access deny webRadioReq1 webRadioReq2 webRadioReq3 webRadioRep1 webRadioRep2 webRadioRep3 WMP
http_access deny manager

http_access allow manager localhost
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow all NTLMUsers
http_access allow siec_Firma
http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_group proxy

error_directory /usr/share/squid/errors/Polish

coredump_dir /var/spool/squid


redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
redirect_children 25





squidGuard.conf


#Globalne ustawienia
logdir /var/log/squid
dbhome /var/lib/squidguard/db

#------------------------------------------------------------------------------------------
#Definicje kategorii
#Sa rozdzielone po to, aby latwiej bylo analizowac poprawnosc definicji blacklists


source Pelendost {
user test55
}

source Zarzad {
user test44
}

source InternetUsers {
user test33
}

source DyrektorzyRegionow {
user test22
}

source Centrala {
user test11
}

destination B {
domainlist B.destdomainlist
}

destination block-site {
domainlist block-site-1.destdomainlist
}

destination im {
domainlist im.destdomainlist
}

destination spyware {
domainlist spyware.destdomainlist
}

destination minimum {
domainlist minimum.destdomainlist
}

rewrite default {
}

acl {
Pelendost {
pass !im !spyware any
redirect http://localhost/sgblock.php?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

Zarzad {
pass in-addr !im !spyware any
redirect http://localhost/sgblock.php?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

InternetUsers {
pass !block-site !im !spyware any
redirect http://localhost/sgblock.php?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

Centrala {
pass !block-site !im any
redirect http://localhost/sgblock.php?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

DyrektorzyRegionow {
pass !im !spyware any
redirect http://localhost/sgblock.php?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

default {
pass B minimum none
redirect http://localhost/sgblock.php?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    }
    }

krb5.conf

[libdefaults]

        default_realm = AD.NAZWA.DOMENY.PL

#        dns_lookup_kdc = false

#        dns_lookup_realm = false

pdefault_etypes = des-cbc-crc des-cbc-md5

default_etypes_des = des-cbc-crc des-cbc-md5

[domain_realms]

        .ad.nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

        ad.nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

.nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

  nazwa.domeny.pl= AD.NAZWA.DOMENY.PL

[realms]

AD.NAZWA.DOMENY.PL = {

        default_domain = AD.NAZWA.DOMENY.PL

       kdc = NOD01.AD.NAZWA.DOMENY.PL:88

admin_server = NOD01.AD.NAZWA.DOMENY.PL:464

}

[logging]

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmin.log

        default = FILE:/var/log/krb5lib.log

[libdefaults]

        default_realm = AD.NAZWA.DOMENY.PL

#        dns_lookup_kdc = false

#        dns_lookup_realm = false

pdefault_etypes = des-cbc-crc des-cbc-md5

default_etypes_des = des-cbc-crc des-cbc-md5

[domain_realms]

        .ad.nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

        ad.nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

.nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

nazwa.domeny.pl = AD.NAZWA.DOMENY.PL

[realms]

AD.NAZWA.DOMENY.PL = {

        default_domain = AD.NAZWA.DOMENY.PL

       kdc = AD1.NAZWA.DOMENY.PL:88

admin_server = AD1.NAZWA.DOMENY.PL:464

}

[logging]

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmin.log

        default = FILE:/var/log/krb5lib.log

nsswitch.conf

passwd:         files winbind

group:          files winbind

hosts:          files dns

networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis

smb.conf

[global]

idmap gid = 10000-20000

socket options = SO_KEEPALIVE TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

domain master = no

encrypt passwords = true

winbind use default domain = yes

realm = NAZWA.DOMENY.PL

netbios name = proxy

server string = Server Proxy

idmap uid = 10000-20000

winbind enum users = yes

password server = * #kontroler.domeny.pl

local master = no

workgroup = DOMENA

winbind enum groups = yes

os level = 0

security = ads

preferred master = no

log level = 0

    wins server = no

    load printers = no

lanman auth = no

ntlm auth = yes

#client NTLMv2 = yes

#client lanman = no

client plaintext auth = no

# makes wbinfo able to see groups

#client schannel = no

#client signing = no

#client use spnego = yes

#client ntlmv2 auth = yes

restrict anonymous = 2

# to avoid the workstation from

# trying to become a master browser

# on your windows network add the

# following lines

Bardzo ważne !!!!!!!!!!!!!!

- sprawdz czy nie ma literówki
- w /etc/hosts zmien 120.0.0.1 localhost na prawidłową nazwę
- podłącz się za pierwszym razem adminem AD
net ads join -S serwer -U user_ad

# kinit
Then to see the ticket:
# klist
You'll see stuff about the ticket cache and expiries and renewals. Once the giddiness subsides, you may as well release/destroy the ticket:
# kdestroy

RESTART CAŁEGO SERWERA i sprawdzamy
wbinfo -u
wbinfo -g 

Check that a ticket was issued: klist

Query LDAP server: ldapsearch 

List all users to test LDAP configuration: getent passwd

Make sure you time is correct: net time 

Logoff Citrix windows CMD

Ogolnie mozna tak

  QUERY USER /SERVER:localhost
  LOGOFF SessionID /SERVER:localhost

Lub

function Get-TSSession([string]$UserName="\w"){
  Write-Host "Server: Server1"
  query user /server:server1 | ?{$_ -match "username|no user exists|\b$UserName"}
  Write-Host "Server: Server2"
  query user /server:server2 | ?{$_ -match "username|no user exists|\b$UserName"}
}

function Clear-TSSession([string]$UserName){
  Write-Host "Server: Server1"
  query user /server:Server1 | ?{$_ -match "\b$UserName\b"} | ?{$_ -match "rdp-tcp#\d*"} | %{logoff $matches[0] /server:server1}

  Write-Host "Server: Server2"
  query user /server:server2 | ?{$_ -match "\b$UserName\b"} | ?{$_ -match "rdp-tcp#\d*"} | %{logoff $matches[0] /server:server2}

Write-Host "Clearing Record Locks"
  Clear-RecordLock($UserName)
}

Lotus Notes Copy and New replica

- Zaznaczamy baze
- File - Application - New Copy

(Kopia może być w obrębie jednego serwera REPLIKACJE NIE)

- wybieramy lokalizację zmieniamy nazwę (nie Local tylko serwer)
OK

Następnie
- otwieramy bazę
- File - Replication - New Replica

(INNY SERWER NIGDY TEN SAM DLA REPLIKACJI)
OK

Na serwerze gdzie niema pliku wpisujemy

pull [nazwa serwera gdzie jest plik] mail\jkowalski.nsf