LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2003-05-09 14:22:28 +00:00
parent 4ae43b33ac
commit 3ca5a4c901
2 changed files with 129 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
LDP/howto/linuxdoc/Samba-Authenticated-Gateway-HOWTO.sgml
View File

@ -3,7 +3,7 @@
<article><!-- LyX 1.2 created this file. For more info see http://www.lyx.org/ -->
<title>Samba Authenticated Gateway HOWTO
</title><author>Ricardo Alexandre Mattar
</author><date>v1.0.2, 2003-04-19
</author><date>v1.1.0, 2003-05-03
</date><abstract>This documents intends to show how to build a Firewall/Gateway
with rules set on user basis having the users authenticated by a
Samba Primary Domain Controller
@ -26,16 +26,16 @@
</p><p>Imagine that you have to build a gateway to let Windows workstation
access the Internet and that you need to authenticate each user before
letting them access the external networks. The first solution you
think about is Squid. Its indeed a great solution, when http and
ftp access is enough for your users. when it comes to let them access
think about is Squid. It's indeed a great solution, when http and
ftp access is enough for your users. When it comes to let them access
other services like pop, smtp, ssh, a database server or whatever
else, you immediately think about NAT or MASQUERADE. But what happens
to the user authentication?
</p><p>Well, this is my solution. It gives you user authentication and
fine grain control over their access to the external networks.
</p><sect1>Overview
<p>We know that SAMBA can act as a Domain Controller an so it can
authenticate users on Windows boxes. As a PDC SAMBA can push netlogon
<p>We know that SAMBA can act as a Domain Controller and so it can
authenticate users on Windows boxes. As a PDC, SAMBA can push netlogon
scripts to the Windows workstations. We can use this netlogon scripts
to force the Windows workstations mounting a given share from our
Linux PDC. This "forced" share shall have preexec and postexec scripts
@ -67,9 +67,10 @@
</p><sect1>Feedback
<p>Contributions and criticism are both welcome.
</p><p>Corrections to my English are also very welcome!
</p><p>If may find me at ricardo.mattar@bol.com.br
</p><p>If you find any bugs in the scripts included, please tell me.
</p><p>You can find me at ricardo.mattar@bol.com.br
</p><sect1>Copyright and trademarks
<p>Copyright (c) 2002 Ricardo Alexandre Mattar
<p>Copyright (c) 2002-2003 Ricardo Alexandre Mattar
</p><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
@ -80,8 +81,8 @@
<p>Thanks to Carlos Alberto Reis Ribeiro for introducing me to Linux.
</p><p>Thanks to Cesar Bremer Pinheiro for motivating me to write this
document.
</p><p>Thanks to Guillaume Lelarge for helping with the revision (he
caught my english errors, but I insisted on a few).
</p><p>Thanks to Guillaume Lelarge for the (continuous) help with the
revision.
</p><p>Thanks to Erik Esplund for further language corrections.
</p><sect>Requirements
<sect1>Knowledge
@ -92,7 +93,7 @@
<item>Linux netfilter;
<item>A scripting language (bash?);
<item>SAMBA and Windows networking and domain controllers;
</itemize></p><p>Fortunately, there is plenty of documentation of these topics
</itemize></p><p>Fortunately, there is plenty of documentation on these topics
on the Internet.
</p><sect1>Software
<p>Installed on your server, you will need at least:
@ -101,7 +102,7 @@
<item>A scripting language;
</itemize></p><sect>Linux box setup
<p>This Howto assumes you have a kernel from the 2.4 series as it
uses iptables. Other than that there are no know issues why this
uses iptables. Other than that, there are no known issues why this
should not work on a 2.2 kernel box with the scripts adapted to ipchains.
</p><p>Of course, you need to install the iptables userland tools, an
apache http server if you want to run a CGI tool to change passwords
@ -121,6 +122,8 @@
</p><p><verb>/var/run/smbgate/
</verb></p><p>This is where I place user specific scripts:
</p><p><verb>/etc/smbgate/users/
</verb></p><p>And group specific scripts:
</p><p><verb>/etc/smbgate/groups/
</verb></p><p>Directory for the netlogon share:
</p><p><verb>/home/samba/netlogon/
</verb></p><p>Directory for the tracking share:
@ -130,9 +133,9 @@
</p><sect1>Firewall setup
<p>Its very unlikely that your distribution's kernel won't be compiled
with Iptables and the userland tools won't be installed either. Anyway,
if you don't have it. Refer to <url url="http://www.netfilter.org" name="http://www.netfilter.org"> or <url url="http://www.iptables.org" name="http://www.iptables.org"> to get the software and the documentation.
if you don't have it, refer to <url url="http://www.netfilter.org" name="http://www.netfilter.org"> or <url url="http://www.iptables.org" name="http://www.iptables.org"> to get the software and the documentation.
</p><p>You will need a basic firewall setup in order to get the gateway
working. Take a look at the iptables tutorial at <url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL">. Its an interesting
working. Take a look at the iptables tutorial at <url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL">. It's an interesting
reading. Anyway, if you have no time to spend, the following code
is somewhat (very) loose but it may fit your needs:
</p><p><verb>&num;!/bin/sh
@ -155,9 +158,9 @@ echo &quot;1&quot; &gt; /proc/sys/net/ipv4/ip_dynaddr
&dollar;IPTABLES -t nat -F
</verb></p><p>You will notice that this code actually does nothing, but load
the kernel modules related to nat and firewalling and turns the packet
routing on. You can place any rules there to give your gateway a
standard behavior, but the big magic will be done by scripts called
by the SAMBA daemon.
routing on. You can (and should) place any rules there to give your
gateway a standard behavior, but the big magic will be done by scripts
called by the SAMBA daemon.
</p><p>Please, remember that this code doesn't have the least bit of
security! Don't use these examples in production environments. This
example intends only to be educational. You have to add a firewall
@ -215,8 +218,8 @@ path = /home/samba/samba
browseable = No
root preexec = /usr/local/bin/netlogon.sh &percnt;u
root postexec = /usr/local/bin/netlogoff.sh &percnt;u
</verb></p><p>You will have to make do with it or read the SAMBA documentation
if you really want to control your server and network.
</verb></p><p>You will have to do with it or read the SAMBA documentation if
you really want to control your server and network.
</p><sect2>The netlogon and the tracking shares
<p>The netlogon share is where the Windows workstations download
the logon script from. We need this share in order to place there
@ -252,6 +255,8 @@ root postexec = /usr/local/bin/netlogoff.sh &percnt;u
the &percnt;u at the end of the lines. These scripts are the beasts
which will call a script or program to modify our gateway's packet
filtering rules.
</p><p>Note that the netlogon.sh script must check if the refered workstation
has already mounted the tracking share.
</p><p>Take a look at the netlogon.sh and netlogoff.sh scripts:
</p><p><verb>&num;!/bin/sh
&num;
@ -268,10 +273,15 @@ IPTABLES='/usr/sbin/iptables'
EXTIF='eth0'
COMMAND='-A'
ADDRESS=`cat /var/run/smbgate/&dollar;1`
GROUP=`groups &dollar;1 | gawk '// &lcub; print &dollar;3 &rcub;'`
if &lsqb; -f /etc/smbgate/users/&dollar;1 &rsqb; ; then
/etc/smbgate/users/&dollar;1 &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
else
/etc/smbgate/users/default.sh &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
else
if &lsqb; -f /etc/smbgate/groups/&dollar;GROUP &rsqb; ; then
/etc/smbgate/groups/&dollar;GROUP &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
else
/etc/smbgate/users/default.sh &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
fi
fi
</verb></p><p>This script (netlogon.sh) is intended to run when the user logs
@ -280,6 +290,13 @@ fi
file will take the user's name and will be later used when the user
log off. The address extracted will be passed as an argument to a
script with the users' name which will finally update the firewall.
</p><p>Notice that this netlogon.sh script tries a user script, then
if it can't find the user script it tries a group script, and finally
if it can't find the group script it tries the default.sh script.
You can modify this logic and behavior as you wish and need, just
remember to modify the others accordingly.
</p><p>Chances are if the user belong to more than one that these scripts
will fail. I did not have time to write a better code.
</p><p><verb>&num;!/bin/sh
&num;
&num; netlogoff.sh
@ -291,7 +308,16 @@ IPTABLES='/usr/sbin/iptables'
EXTIF='ppp0'
COMMAND='-D'
ADDRESS=`cat /var/run/smbgate/&dollar;1`
/etc/smbgate/users/&dollar;1 &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
GROUP=`groups &dollar;1 | gawk '// &lcub; print &dollar;3 &rcub;'`
if &lsqb; -f /etc/smbgate/users/&dollar;1 &rsqb; ; then
/etc/smbgate/users/&dollar;1 &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
else
if &lsqb; -f /etc/smbgate/groups/&dollar;GROUP &rsqb; ; then
/etc/smbgate/groups/&dollar;GROUP &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
else
/etc/smbgate/users/default.sh &dollar;COMMAND &dollar;ADDRESS &dollar;EXTIF
fi
fi
rm -f /var/run/smbgate/&dollar;1
</verb></p><p>This script (netlogoff.sh) is intended to run when the user logs
off and will get the address from the /var/run/smbgate/user file
@ -302,14 +328,13 @@ rm -f /var/run/smbgate/&dollar;1
share more than once per login. This may cause problems with the
netlogon.sh and netlogoff.sh, triggering the scripts more the once.
This can make a real mess. So, you may prefer to use a logout checking
script at cron instead of a netlogoff.sh script trigered by SAMBA.
script at cron instead of a netlogoff.sh script triggered by SAMBA.
Here is an example:
</p><p><verb>&num;!/bin/sh
&num; checklogout.sh
&num;
&num; usage:
&num; intended to run at cron
&num;
&num; intended to run at cron (maybe each 10 minutes)
TRACKDIR=&quot;/var/run/smbgate&quot;
DIRLENGTH=&dollar;&lcub;&num;TRACKDIR&rcub;
@ -325,10 +350,15 @@ if &lsqb; -d &dollar;TRACKDIR &rsqb;; then
NMS=`smbstatus -u &dollar;USERNAME | grep &dollar;TRACKSHARE | grep &dollar;IPADDRESS | grep -v grep | wc -l`
if &lsqb; &dollar;NMS == 0 &rsqb; ; then
rm -f &dollar;n
if &lsqb; -f /etc/smbgate/users/&dollar;1 &rsqb; ; then
/etc/smbgate/users/&dollar;1 &dollar;COMMAND &dollar;IPADDRESS &dollar;EXTIF
GROUP=`groups &dollar;USERNAME | gawk '// &lcub; print &dollar;3 &rcub;'`
if &lsqb; -f /etc/smbgate/users/&dollar;USERNAME &rsqb; ; then
/etc/smbgate/users/&dollar;USERNAME &dollar;COMMAND &dollar;IPADDRESS &dollar;EXTIF
else
/etc/smbgate/users/default.sh &dollar;COMMAND &dollar;IPADDRESS &dollar;EXTIF
if &lsqb; -f /etc/smbgate/groups/&dollar;GROUP &rsqb; ; then
/etc/smbgate/groups/&dollar;GROUP &dollar;COMMAND &dollar;IPADDRESS &dollar;EXTIF
else
/etc/smbgate/users/default.sh &dollar;COMMAND &dollar;IPADDRESS &dollar;EXTIF
fi
fi
fi
else
@ -381,9 +411,9 @@ exit 0
the domain name of your Linux server. This is essential to the gateway
work.
</p><p>You must know that in order to join some versions of Windows
to a SAMBA domain controller you must create machine accounts in
to a SAMBA domain controller, you must create machine accounts in
your Linux PDC. Check the SAMBA documentation on how to setup your
PDC to the specific version version of Windows which you have.
PDC to the specific version of Windows which you have.
</p><sect2>Windows 95/98
<p>These versions seems to need no special configuration to join
the Linux PDC domain.
@ -438,9 +468,60 @@ net use z: &bsol;&bsol;linux&bsol;samba /yes /persistent:no
to build integrated tools to solve this problem. So, I am using a
CGI program to get it done.
</p><p>Try the package at <url url="http://changepassword.sourceforge.net" name="http://changepassword.sourceforge.net">, it seems to be a good choice.
</p><sect1>Granting or denying access to users
<p>As you could see in a previous section of this howto, the SAMBA
daemon will call a netlogon.sh script every time the tracking share
is mounted. This netlogon.sh script will call a script with the user's
name giving this script the ip address of the refered workstation
as a parameter. This user script will apply the desired rules.
</p><p>For example if you want to give the user full access to internet:
</p><p><verb>&num;!/bin/sh
&num;
COMMAND=&dollar;1
ADDRESS=&dollar;2
EXTIF=&dollar;3
IPTABLES='/usr/sbin/iptables'
&dollar;IPTABLES &dollar;COMMAND POSTROUTING -t nat -s &dollar;ADDRESS -o &dollar;EXTIF -j MASQUERADE
</verb></p><p>If you don't want to change anything to a particular user, just
give him an empty script:
</p><p><verb>&num;/bin/sh
&num;
exit 0
</verb></p><p>Or just don't create any script for the less privileged users,
letting them have the default.sh script, which would be empty as
the previous or just give limited access as follows:
</p><p><verb>&num;!/bin/sh
&num;
COMMAND=&dollar;1
ADDRESS=&dollar;2
EXTIF=&dollar;3
EXTIFADDRESS=&dollar;4
IPTABLES='/usr/sbin/iptables'
&dollar;IPTABLES &dollar;COMMAND POSTROUTING -t nat -s &dollar;ADDRESS -o &dollar;EXTIF --dport 25 -j SNAT --to-source &dollar;EXTIFADDRESS
&dollar;IPTABLES &dollar;COMMAND POSTROUTING -t nat -s &dollar;ADDRESS -o &dollar;EXTIF --dport 110 -j SNAT --to-source &dollar;EXTIFADDRESS
</verb></p><p>Remember that this script requires you to modify all the previous
scripts to include the extra parameter ou just modify the script
script. And remember that you will go nowhere whis this howto if
you don't understand iptables.
</p><sect>Group management
<sect1>Creating groups
<p>Just create your user groups in the Linux PDC and add the users
to the groups. This is it.
</p><p>Remember that the example scripts in this howto will probably
fail if you have users belonging to more than one group. If you need
this, remember to adjust the scripts.
</p><sect1>Group policy
<p>You will need to define group specific scripts and place them
in the directory "/etc/smbgate/groups/". Remember that the script must
be named as the group, at least if you want to follow the examples
in this howto.
</p><p>The default scheme of this howto is to check for a user script,
then for a group script and finally for the default script. If you
want to modify this behavior remember to adapt the netlogon.sh, netlogoff.sh
(or the checklogout.sh) scripts. The whole logic is in these scripts.
</p><sect>Bibliography
<p><url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL"> by Oskar Andreasson
</p><p><url url="http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> by the SAMBA Team
</p><p><url url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> by the SAMBA Team
</p><sect>GNU Free Documentation License
<p>GNU Free Documentation License Version 1.2, November 2002
</p><p>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc. 59

27
LDP/howto/linuxdoc/Web-Browsing-Behind-ISA-Server-HOWTO.sgml
View File

@ -9,11 +9,11 @@
<article>
<titlepag>
<title>Web Browsing Behind ISA Server HOWTO</title>
<author>by Raheel Abdul Hameed (<tt/raheel at NOspAMraheelhameed dot com/)</author>
<date>v1.0, 2003-05-01</date>
<author>by Raheel Abdul Hameed (<tt/raheel at raheelhameed dot com/)</author>
<date>v1.0, April 2003 - Initial Release, reviewed by LDP</date>
<abstract>
If you are using a Linux box connected to a Windows-based ISA server, this article will
help you in set things up so you can browse the web from your Linux
help you set things up so you can browse the web from your Linux
machine. I decided to write this article because I experienced similar issues, and
after some digging found some ways to web-enable my cute Linux machine. So here is this
article with the hope that you'll like it and find it useful. Any feedback will be
@ -32,12 +32,12 @@ This section first discusses some legal matters, requisites, uses of this docume
<sect1>
<heading>Copyright</heading>
<p>
This document is Copyright 2003 by Raheel Abdul Hameed
This document is Copyright (c) 2003 by Raheel Abdul Hameed
<p>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
<p>
For the full text of the license, please visit
<url url="http://www.gnu.org/copyleft/fdl.html" name="GNU Free Documentation License">
<url url="http://www.gnu.org/copyleft/fdl.html" name="GNU Free Documentation License">.
<sect1>
<heading>Disclaimer</heading>
@ -78,7 +78,7 @@ Some familiarity with ISA server configuration is also favorable, but not necess
<itemize>
<item> You have a Windows machine running ISA Server as a proxy
that connects to internet.
<item> You have a linux machine where you want to run your browser
<item> You have a Linux machine where you want to run your browser
to browse the web behind ISA Server proxy.
<item> You are sick of using Windows to browse the net.
<item> You are a complete nerd and read every HOWTO available.
@ -149,7 +149,7 @@ Some familiarity with ISA server configuration is also favorable, but not necess
<p>
As mentioned above, due to Integrated Authentication support configured on ISA
server, third party browsers do not work behind it. In this situation you can make use of
another authentication scheme called 'Basic Authentication,' commonly supported by
another authentication scheme called 'Basic Authentication', commonly supported by
most browsers and most importantly by ISA Server too. If you work in a security
conscious environment this method is not recommended since during basic
authentication, the username and password sent are loosely encrypted.
@ -191,7 +191,7 @@ configuration console, then move on to the second method in the following sectio
Load up a test url in your browser, it will ask you for authentication information,
In place of user, type DOMAIN&bsol;USER, where your DOMAIN being the Windows domain,
and USER and legitimate USER your proxy recognises. In place of password, type the
and USER being a legitimate domain user. In place of password, type the
user's password. Click on OK to continue. For example:
<code>
@ -313,7 +313,7 @@ PASSWORD:your_nt_password
<item> Click on OK to apply your changes.
</itemize>
Load up a test url in your browser and you will see the web page load successfully. If you use a different browser
Load up a test url in your browser and you will see the web page loads successfully. If you use a different browser
then you will need to explore and see how you set it up to work with proxy.
</sect1>
</sect>
@ -334,6 +334,15 @@ PASSWORD:your_nt_password
<p> Python Home Page
<htmlurl name="www.python.org" url="http://www.python.org">
</sect1>
<sect1>
<heading>Appendix - B - Acknowledgments </heading>
<p>
<itemize>
<item> Special thanks to Tabatha Persad (tabatha AT merlinmonroe DOT com) for reviewing and fixing the grammatical, structural, spelling and markup mistakes in this document.
<item> Thanks to Greg Ferguson (gferg AT sgi DOT com), Joy Goodreau (joyg AT us DOT ibm DOT com) for their guidance on submitting this document.
<item> Thanks to Faisal Khatri (fslkhatri AT hotmail DOT com) for verifying the information in this document.
</itemize>
</sect1>
</sect>
</article>