mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
4ae43b33ac
commit
3ca5a4c901
|
@ -3,7 +3,7 @@
|
|||
<article><!-- LyX 1.2 created this file. For more info see http://www.lyx.org/ -->
|
||||
<title>Samba Authenticated Gateway HOWTO
|
||||
</title><author>Ricardo Alexandre Mattar
|
||||
</author><date>v1.0.2, 2003-04-19
|
||||
</author><date>v1.1.0, 2003-05-03
|
||||
</date><abstract>This documents intends to show how to build a Firewall/Gateway
|
||||
with rules set on user basis having the users authenticated by a
|
||||
Samba Primary Domain Controller
|
||||
|
@ -26,16 +26,16 @@
|
|||
</p><p>Imagine that you have to build a gateway to let Windows workstation
|
||||
access the Internet and that you need to authenticate each user before
|
||||
letting them access the external networks. The first solution you
|
||||
think about is Squid. Its indeed a great solution, when http and
|
||||
ftp access is enough for your users. when it comes to let them access
|
||||
think about is Squid. It's indeed a great solution, when http and
|
||||
ftp access is enough for your users. When it comes to let them access
|
||||
other services like pop, smtp, ssh, a database server or whatever
|
||||
else, you immediately think about NAT or MASQUERADE. But what happens
|
||||
to the user authentication?
|
||||
</p><p>Well, this is my solution. It gives you user authentication and
|
||||
fine grain control over their access to the external networks.
|
||||
</p><sect1>Overview
|
||||
<p>We know that SAMBA can act as a Domain Controller an so it can
|
||||
authenticate users on Windows boxes. As a PDC SAMBA can push netlogon
|
||||
<p>We know that SAMBA can act as a Domain Controller and so it can
|
||||
authenticate users on Windows boxes. As a PDC, SAMBA can push netlogon
|
||||
scripts to the Windows workstations. We can use this netlogon scripts
|
||||
to force the Windows workstations mounting a given share from our
|
||||
Linux PDC. This "forced" share shall have preexec and postexec scripts
|
||||
|
@ -67,9 +67,10 @@
|
|||
</p><sect1>Feedback
|
||||
<p>Contributions and criticism are both welcome.
|
||||
</p><p>Corrections to my English are also very welcome!
|
||||
</p><p>If may find me at ricardo.mattar@bol.com.br
|
||||
</p><p>If you find any bugs in the scripts included, please tell me.
|
||||
</p><p>You can find me at ricardo.mattar@bol.com.br
|
||||
</p><sect1>Copyright and trademarks
|
||||
<p>Copyright (c) 2002 Ricardo Alexandre Mattar
|
||||
<p>Copyright (c) 2002-2003 Ricardo Alexandre Mattar
|
||||
</p><p>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation;
|
||||
|
@ -80,8 +81,8 @@
|
|||
<p>Thanks to Carlos Alberto Reis Ribeiro for introducing me to Linux.
|
||||
</p><p>Thanks to Cesar Bremer Pinheiro for motivating me to write this
|
||||
document.
|
||||
</p><p>Thanks to Guillaume Lelarge for helping with the revision (he
|
||||
caught my english errors, but I insisted on a few).
|
||||
</p><p>Thanks to Guillaume Lelarge for the (continuous) help with the
|
||||
revision.
|
||||
</p><p>Thanks to Erik Esplund for further language corrections.
|
||||
</p><sect>Requirements
|
||||
<sect1>Knowledge
|
||||
|
@ -92,7 +93,7 @@
|
|||
<item>Linux netfilter;
|
||||
<item>A scripting language (bash?);
|
||||
<item>SAMBA and Windows networking and domain controllers;
|
||||
</itemize></p><p>Fortunately, there is plenty of documentation of these topics
|
||||
</itemize></p><p>Fortunately, there is plenty of documentation on these topics
|
||||
on the Internet.
|
||||
</p><sect1>Software
|
||||
<p>Installed on your server, you will need at least:
|
||||
|
@ -101,7 +102,7 @@
|
|||
<item>A scripting language;
|
||||
</itemize></p><sect>Linux box setup
|
||||
<p>This Howto assumes you have a kernel from the 2.4 series as it
|
||||
uses iptables. Other than that there are no know issues why this
|
||||
uses iptables. Other than that, there are no known issues why this
|
||||
should not work on a 2.2 kernel box with the scripts adapted to ipchains.
|
||||
</p><p>Of course, you need to install the iptables userland tools, an
|
||||
apache http server if you want to run a CGI tool to change passwords
|
||||
|
@ -121,6 +122,8 @@
|
|||
</p><p><verb>/var/run/smbgate/
|
||||
</verb></p><p>This is where I place user specific scripts:
|
||||
</p><p><verb>/etc/smbgate/users/
|
||||
</verb></p><p>And group specific scripts:
|
||||
</p><p><verb>/etc/smbgate/groups/
|
||||
</verb></p><p>Directory for the netlogon share:
|
||||
</p><p><verb>/home/samba/netlogon/
|
||||
</verb></p><p>Directory for the tracking share:
|
||||
|
@ -130,9 +133,9 @@
|
|||
</p><sect1>Firewall setup
|
||||
<p>Its very unlikely that your distribution's kernel won't be compiled
|
||||
with Iptables and the userland tools won't be installed either. Anyway,
|
||||
if you don't have it. Refer to <url url="http://www.netfilter.org" name="http://www.netfilter.org"> or <url url="http://www.iptables.org" name="http://www.iptables.org"> to get the software and the documentation.
|
||||
if you don't have it, refer to <url url="http://www.netfilter.org" name="http://www.netfilter.org"> or <url url="http://www.iptables.org" name="http://www.iptables.org"> to get the software and the documentation.
|
||||
</p><p>You will need a basic firewall setup in order to get the gateway
|
||||
working. Take a look at the iptables tutorial at <url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL">. Its an interesting
|
||||
working. Take a look at the iptables tutorial at <url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL">. It's an interesting
|
||||
reading. Anyway, if you have no time to spend, the following code
|
||||
is somewhat (very) loose but it may fit your needs:
|
||||
</p><p><verb>#!/bin/sh
|
||||
|
@ -155,9 +158,9 @@ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
|||
$IPTABLES -t nat -F
|
||||
</verb></p><p>You will notice that this code actually does nothing, but load
|
||||
the kernel modules related to nat and firewalling and turns the packet
|
||||
routing on. You can place any rules there to give your gateway a
|
||||
standard behavior, but the big magic will be done by scripts called
|
||||
by the SAMBA daemon.
|
||||
routing on. You can (and should) place any rules there to give your
|
||||
gateway a standard behavior, but the big magic will be done by scripts
|
||||
called by the SAMBA daemon.
|
||||
</p><p>Please, remember that this code doesn't have the least bit of
|
||||
security! Don't use these examples in production environments. This
|
||||
example intends only to be educational. You have to add a firewall
|
||||
|
@ -215,8 +218,8 @@ path = /home/samba/samba
|
|||
browseable = No
|
||||
root preexec = /usr/local/bin/netlogon.sh %u
|
||||
root postexec = /usr/local/bin/netlogoff.sh %u
|
||||
</verb></p><p>You will have to make do with it or read the SAMBA documentation
|
||||
if you really want to control your server and network.
|
||||
</verb></p><p>You will have to do with it or read the SAMBA documentation if
|
||||
you really want to control your server and network.
|
||||
</p><sect2>The netlogon and the tracking shares
|
||||
<p>The netlogon share is where the Windows workstations download
|
||||
the logon script from. We need this share in order to place there
|
||||
|
@ -252,6 +255,8 @@ root postexec = /usr/local/bin/netlogoff.sh %u
|
|||
the %u at the end of the lines. These scripts are the beasts
|
||||
which will call a script or program to modify our gateway's packet
|
||||
filtering rules.
|
||||
</p><p>Note that the netlogon.sh script must check if the refered workstation
|
||||
has already mounted the tracking share.
|
||||
</p><p>Take a look at the netlogon.sh and netlogoff.sh scripts:
|
||||
</p><p><verb>#!/bin/sh
|
||||
#
|
||||
|
@ -268,10 +273,15 @@ IPTABLES='/usr/sbin/iptables'
|
|||
EXTIF='eth0'
|
||||
COMMAND='-A'
|
||||
ADDRESS=`cat /var/run/smbgate/$1`
|
||||
GROUP=`groups $1 | gawk '// { print $3 }'`
|
||||
if [ -f /etc/smbgate/users/$1 ] ; then
|
||||
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
||||
else
|
||||
/etc/smbgate/users/default.sh $COMMAND $ADDRESS $EXTIF
|
||||
else
|
||||
if [ -f /etc/smbgate/groups/$GROUP ] ; then
|
||||
/etc/smbgate/groups/$GROUP $COMMAND $ADDRESS $EXTIF
|
||||
else
|
||||
/etc/smbgate/users/default.sh $COMMAND $ADDRESS $EXTIF
|
||||
fi
|
||||
fi
|
||||
|
||||
</verb></p><p>This script (netlogon.sh) is intended to run when the user logs
|
||||
|
@ -280,6 +290,13 @@ fi
|
|||
file will take the user's name and will be later used when the user
|
||||
log off. The address extracted will be passed as an argument to a
|
||||
script with the users' name which will finally update the firewall.
|
||||
</p><p>Notice that this netlogon.sh script tries a user script, then
|
||||
if it can't find the user script it tries a group script, and finally
|
||||
if it can't find the group script it tries the default.sh script.
|
||||
You can modify this logic and behavior as you wish and need, just
|
||||
remember to modify the others accordingly.
|
||||
</p><p>Chances are if the user belong to more than one that these scripts
|
||||
will fail. I did not have time to write a better code.
|
||||
</p><p><verb>#!/bin/sh
|
||||
#
|
||||
# netlogoff.sh
|
||||
|
@ -291,7 +308,16 @@ IPTABLES='/usr/sbin/iptables'
|
|||
EXTIF='ppp0'
|
||||
COMMAND='-D'
|
||||
ADDRESS=`cat /var/run/smbgate/$1`
|
||||
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
||||
GROUP=`groups $1 | gawk '// { print $3 }'`
|
||||
if [ -f /etc/smbgate/users/$1 ] ; then
|
||||
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
||||
else
|
||||
if [ -f /etc/smbgate/groups/$GROUP ] ; then
|
||||
/etc/smbgate/groups/$GROUP $COMMAND $ADDRESS $EXTIF
|
||||
else
|
||||
/etc/smbgate/users/default.sh $COMMAND $ADDRESS $EXTIF
|
||||
fi
|
||||
fi
|
||||
rm -f /var/run/smbgate/$1
|
||||
</verb></p><p>This script (netlogoff.sh) is intended to run when the user logs
|
||||
off and will get the address from the /var/run/smbgate/user file
|
||||
|
@ -302,14 +328,13 @@ rm -f /var/run/smbgate/$1
|
|||
share more than once per login. This may cause problems with the
|
||||
netlogon.sh and netlogoff.sh, triggering the scripts more the once.
|
||||
This can make a real mess. So, you may prefer to use a logout checking
|
||||
script at cron instead of a netlogoff.sh script trigered by SAMBA.
|
||||
script at cron instead of a netlogoff.sh script triggered by SAMBA.
|
||||
Here is an example:
|
||||
</p><p><verb>#!/bin/sh
|
||||
# checklogout.sh
|
||||
#
|
||||
# usage:
|
||||
# intended to run at cron
|
||||
#
|
||||
# intended to run at cron (maybe each 10 minutes)
|
||||
|
||||
TRACKDIR="/var/run/smbgate"
|
||||
DIRLENGTH=${#TRACKDIR}
|
||||
|
@ -325,10 +350,15 @@ if [ -d $TRACKDIR ]; then
|
|||
NMS=`smbstatus -u $USERNAME | grep $TRACKSHARE | grep $IPADDRESS | grep -v grep | wc -l`
|
||||
if [ $NMS == 0 ] ; then
|
||||
rm -f $n
|
||||
if [ -f /etc/smbgate/users/$1 ] ; then
|
||||
/etc/smbgate/users/$1 $COMMAND $IPADDRESS $EXTIF
|
||||
GROUP=`groups $USERNAME | gawk '// { print $3 }'`
|
||||
if [ -f /etc/smbgate/users/$USERNAME ] ; then
|
||||
/etc/smbgate/users/$USERNAME $COMMAND $IPADDRESS $EXTIF
|
||||
else
|
||||
/etc/smbgate/users/default.sh $COMMAND $IPADDRESS $EXTIF
|
||||
if [ -f /etc/smbgate/groups/$GROUP ] ; then
|
||||
/etc/smbgate/groups/$GROUP $COMMAND $IPADDRESS $EXTIF
|
||||
else
|
||||
/etc/smbgate/users/default.sh $COMMAND $IPADDRESS $EXTIF
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
@ -381,9 +411,9 @@ exit 0
|
|||
the domain name of your Linux server. This is essential to the gateway
|
||||
work.
|
||||
</p><p>You must know that in order to join some versions of Windows
|
||||
to a SAMBA domain controller you must create machine accounts in
|
||||
to a SAMBA domain controller, you must create machine accounts in
|
||||
your Linux PDC. Check the SAMBA documentation on how to setup your
|
||||
PDC to the specific version version of Windows which you have.
|
||||
PDC to the specific version of Windows which you have.
|
||||
</p><sect2>Windows 95/98
|
||||
<p>These versions seems to need no special configuration to join
|
||||
the Linux PDC domain.
|
||||
|
@ -438,9 +468,60 @@ net use z: \\linux\samba /yes /persistent:no
|
|||
to build integrated tools to solve this problem. So, I am using a
|
||||
CGI program to get it done.
|
||||
</p><p>Try the package at <url url="http://changepassword.sourceforge.net" name="http://changepassword.sourceforge.net">, it seems to be a good choice.
|
||||
</p><sect1>Granting or denying access to users
|
||||
<p>As you could see in a previous section of this howto, the SAMBA
|
||||
daemon will call a netlogon.sh script every time the tracking share
|
||||
is mounted. This netlogon.sh script will call a script with the user's
|
||||
name giving this script the ip address of the refered workstation
|
||||
as a parameter. This user script will apply the desired rules.
|
||||
</p><p>For example if you want to give the user full access to internet:
|
||||
</p><p><verb>#!/bin/sh
|
||||
#
|
||||
COMMAND=$1
|
||||
ADDRESS=$2
|
||||
EXTIF=$3
|
||||
IPTABLES='/usr/sbin/iptables'
|
||||
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
||||
</verb></p><p>If you don't want to change anything to a particular user, just
|
||||
give him an empty script:
|
||||
</p><p><verb>#/bin/sh
|
||||
#
|
||||
exit 0
|
||||
</verb></p><p>Or just don't create any script for the less privileged users,
|
||||
letting them have the default.sh script, which would be empty as
|
||||
the previous or just give limited access as follows:
|
||||
</p><p><verb>#!/bin/sh
|
||||
#
|
||||
COMMAND=$1
|
||||
ADDRESS=$2
|
||||
EXTIF=$3
|
||||
EXTIFADDRESS=$4
|
||||
IPTABLES='/usr/sbin/iptables'
|
||||
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF --dport 25 -j SNAT --to-source $EXTIFADDRESS
|
||||
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF --dport 110 -j SNAT --to-source $EXTIFADDRESS
|
||||
</verb></p><p>Remember that this script requires you to modify all the previous
|
||||
scripts to include the extra parameter ou just modify the script
|
||||
script. And remember that you will go nowhere whis this howto if
|
||||
you don't understand iptables.
|
||||
</p><sect>Group management
|
||||
<sect1>Creating groups
|
||||
<p>Just create your user groups in the Linux PDC and add the users
|
||||
to the groups. This is it.
|
||||
</p><p>Remember that the example scripts in this howto will probably
|
||||
fail if you have users belonging to more than one group. If you need
|
||||
this, remember to adjust the scripts.
|
||||
</p><sect1>Group policy
|
||||
<p>You will need to define group specific scripts and place them
|
||||
in the directory "/etc/smbgate/groups/". Remember that the script must
|
||||
be named as the group, at least if you want to follow the examples
|
||||
in this howto.
|
||||
</p><p>The default scheme of this howto is to check for a user script,
|
||||
then for a group script and finally for the default script. If you
|
||||
want to modify this behavior remember to adapt the netlogon.sh, netlogoff.sh
|
||||
(or the checklogout.sh) scripts. The whole logic is in these scripts.
|
||||
</p><sect>Bibliography
|
||||
<p><url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL"> by Oskar Andreasson
|
||||
</p><p><url url="http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> by the SAMBA Team
|
||||
</p><p><url url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> by the SAMBA Team
|
||||
</p><sect>GNU Free Documentation License
|
||||
<p>GNU Free Documentation License Version 1.2, November 2002
|
||||
</p><p>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc. 59
|
||||
|
|
|
@ -9,11 +9,11 @@
|
|||
<article>
|
||||
<titlepag>
|
||||
<title>Web Browsing Behind ISA Server HOWTO</title>
|
||||
<author>by Raheel Abdul Hameed (<tt/raheel at NOspAMraheelhameed dot com/)</author>
|
||||
<date>v1.0, 2003-05-01</date>
|
||||
<author>by Raheel Abdul Hameed (<tt/raheel at raheelhameed dot com/)</author>
|
||||
<date>v1.0, April 2003 - Initial Release, reviewed by LDP</date>
|
||||
<abstract>
|
||||
If you are using a Linux box connected to a Windows-based ISA server, this article will
|
||||
help you in set things up so you can browse the web from your Linux
|
||||
help you set things up so you can browse the web from your Linux
|
||||
machine. I decided to write this article because I experienced similar issues, and
|
||||
after some digging found some ways to web-enable my cute Linux machine. So here is this
|
||||
article with the hope that you'll like it and find it useful. Any feedback will be
|
||||
|
@ -32,12 +32,12 @@ This section first discusses some legal matters, requisites, uses of this docume
|
|||
<sect1>
|
||||
<heading>Copyright</heading>
|
||||
<p>
|
||||
This document is Copyright 2003 by Raheel Abdul Hameed
|
||||
This document is Copyright (c) 2003 by Raheel Abdul Hameed
|
||||
<p>
|
||||
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
||||
<p>
|
||||
For the full text of the license, please visit
|
||||
<url url="http://www.gnu.org/copyleft/fdl.html" name="GNU Free Documentation License">
|
||||
<url url="http://www.gnu.org/copyleft/fdl.html" name="GNU Free Documentation License">.
|
||||
|
||||
<sect1>
|
||||
<heading>Disclaimer</heading>
|
||||
|
@ -78,7 +78,7 @@ Some familiarity with ISA server configuration is also favorable, but not necess
|
|||
<itemize>
|
||||
<item> You have a Windows machine running ISA Server as a proxy
|
||||
that connects to internet.
|
||||
<item> You have a linux machine where you want to run your browser
|
||||
<item> You have a Linux machine where you want to run your browser
|
||||
to browse the web behind ISA Server proxy.
|
||||
<item> You are sick of using Windows to browse the net.
|
||||
<item> You are a complete nerd and read every HOWTO available.
|
||||
|
@ -149,7 +149,7 @@ Some familiarity with ISA server configuration is also favorable, but not necess
|
|||
<p>
|
||||
As mentioned above, due to Integrated Authentication support configured on ISA
|
||||
server, third party browsers do not work behind it. In this situation you can make use of
|
||||
another authentication scheme called 'Basic Authentication,' commonly supported by
|
||||
another authentication scheme called 'Basic Authentication', commonly supported by
|
||||
most browsers and most importantly by ISA Server too. If you work in a security
|
||||
conscious environment this method is not recommended since during basic
|
||||
authentication, the username and password sent are loosely encrypted.
|
||||
|
@ -191,7 +191,7 @@ configuration console, then move on to the second method in the following sectio
|
|||
|
||||
Load up a test url in your browser, it will ask you for authentication information,
|
||||
In place of user, type DOMAIN\USER, where your DOMAIN being the Windows domain,
|
||||
and USER and legitimate USER your proxy recognises. In place of password, type the
|
||||
and USER being a legitimate domain user. In place of password, type the
|
||||
user's password. Click on OK to continue. For example:
|
||||
|
||||
<code>
|
||||
|
@ -313,7 +313,7 @@ PASSWORD:your_nt_password
|
|||
<item> Click on OK to apply your changes.
|
||||
</itemize>
|
||||
|
||||
Load up a test url in your browser and you will see the web page load successfully. If you use a different browser
|
||||
Load up a test url in your browser and you will see the web page loads successfully. If you use a different browser
|
||||
then you will need to explore and see how you set it up to work with proxy.
|
||||
</sect1>
|
||||
</sect>
|
||||
|
@ -334,6 +334,15 @@ PASSWORD:your_nt_password
|
|||
<p> Python Home Page
|
||||
<htmlurl name="www.python.org" url="http://www.python.org">
|
||||
</sect1>
|
||||
<sect1>
|
||||
<heading>Appendix - B - Acknowledgments </heading>
|
||||
<p>
|
||||
<itemize>
|
||||
<item> Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com) for reviewing and fixing the grammatical, structural, spelling and markup mistakes in this document.
|
||||
<item> Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg AT us DOT ibm DOT com) for their guidance on submitting this document.
|
||||
<item> Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for verifying the information in this document.
|
||||
</itemize>
|
||||
</sect1>
|
||||
</sect>
|
||||
|
||||
</article>
|
||||
|
|
Loading…
Reference in New Issue