Linux用winbind與AD認證 簡易版
(*註: 只在CentOS, Fedora 測試過, Redhat 9 以下沒測過)
很多人都希望自己的 Linux 可以與 AD 整合
不過目前看到的設定教學都需要設定很多檔案
一開始我也是看旗標出的「 Linux 與 Windows 共舞」
搞了很久才弄出來了
不過後來不小心弄出一個很簡易方法
順便重新整理之前回覆的 POST
假設 AD 環境如下
AD Domain 為 TW
AD Realm 為 TW.COMP.CORP
AD Controls (即 DC )為 192.168.1.1, 192.168.1.2 兩台
AD Time Server 在 192.168.1.1
1. 校時
與 AD 做認證 機器必須與 AD 的時間需一致
請安裝 ntp
執行 ntpdate 192.168.1.1. (請與 AD校時)
設定 /etc/ntpd.conf
加入 server 192.168.1.1
chkconfig ntpd on
service ntpd start
2. 請確定已經安裝 samba 及 samba-common
若如直接執行 yum install 或 rpm -ivh 等等
#yum install samba samba-common
3. 打 setup
#setup
選 Authentication configuration
進去選 Use Winbind 及 Use Winbind Authentication
再進去輸入你 AD 的 Information 即可
如果不要讓 user 登入 請選 /sbin/nologin 作為使用者的 logon shell
下面是參考
Security Model: (*) ads
Domain: TW
Domain Controllers: 192.168.1.1,192.168.1.2
ADS Realm: TW.TOPCOMP.CORP
Template Shell: (*) /bin/bash
接著再敲 Administartors 的帳號及密碼即可
你所做的設定最後會寫到
a. /etc/samba/smb.conf
b. /etc/krb5.conf
c. /var/kerberos/krb5kdc/kdc.conf
d. /etc/nssswitch.conf
最後請確認 winbind 有啟動之後就可以使用 AD account
chkconfig winbind on
server start winbind
(ps. smb 服務不需要,除非你要做分享檔案,否則也不用安裝 samba-server)
4. 測試
假設你有的帳號為 test 密碼為 test123
你可以用 TW/test 登入 密碼為 test123
ps. 軟體清單
krb5-libs
krb5-workstation
ntp
samba
samba-common
setuptool
Thursday, November 23, 2006
Wednesday, November 22, 2006
Squid and Media Player
acl wmp browser -i ^.*Windows-Media-Player.*
acl wmp browser -i ^.*NSPlayer.*
acl wmp browser -i ^.*player.*
acl umv rep_mime_type ^video/* ^audio/*
http_access deny wmp http_reply_access deny umv
acl WMP browser Windows-Media-Player/*
acl XMMS browser xmms/*
acl GATOR browser gator/*
acl MPLAYER browser MPlayer/*
acl NSPLAYER browser NSPlayer/*
acl QTIME browser QuickTime*/*
acl WINAMP browser Winamp/*
acl wmp browser -i ^.*NSPlayer.*
acl wmp browser -i ^.*player.*
acl umv rep_mime_type ^video/* ^audio/*
http_access deny wmp http_reply_access deny umv
acl WMP browser Windows-Media-Player/*
acl XMMS browser xmms/*
acl GATOR browser gator/*
acl MPLAYER browser MPlayer/*
acl NSPLAYER browser NSPlayer/*
acl QTIME browser QuickTime*/*
acl WINAMP browser Winamp/*
Tuesday, November 21, 2006
Squid and User Agent of MSIE
For secuirty issue, I need to limit the kind of browser.
Only IE can access Internet with squid proxy.
I use Mtracer to write the fallowing Regular Expression.
Mtracer is a Regular Expression Compose adn Test Tool.
^Mozilla/4.0.\(compatible;.MSIE.(5\.05\.015\.56\.0);.Windows.(98NT.5\.0NT.5\.1)(\);.DigExt\);.SV1\);.\.NET.CLR.1\.0\.3705\);.\.NET.CLR.1\.1\.4322\);.Q312461\);.SV1;.\.NET.CLR.1\.1\.4322\))
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
User Agent Tools
http://www.104testing.com.tw/proxyTest.jsp
http://under-linux.org/forums/configuracao/87780-problemas-squidguard.html
Only IE can access Internet with squid proxy.
I use Mtracer to write the fallowing Regular Expression.
Mtracer is a Regular Expression Compose adn Test Tool.
^Mozilla/4.0.\(compatible;.MSIE.(5\.05\.015\.56\.0);.Windows.(98NT.5\.0NT.5\.1)(\);.DigExt\);.SV1\);.\.NET.CLR.1\.0\.3705\);.\.NET.CLR.1\.1\.4322\);.Q312461\);.SV1;.\.NET.CLR.1\.1\.4322\))
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
User Agent Tools
http://www.104testing.com.tw/proxyTest.jsp
http://under-linux.org/forums/configuracao/87780-problemas-squidguard.html
Install Clamav on CentOS
1. Download clamav for CentOS
http://dag.wieers.com/packages/clamav/
Current Clamav for CentOS
http://dag.wieers.com/packages/clamav/clamav-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamav-db-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamd-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamav-devel-0.88.6-1.el4.rf.i386.rpm
option ->
http://dag.wieers.com/packages/clamav/clamav-millter-0.88.6-1.el4.rf.i386.rpm
rpm -ivh clamav-0.88.6-1.el4.rf.i386.rpm clamav-db-0.88.6-1.el4.rf.i386.rpm \
clamav-devel-0.88.6-1.el4.rf.i386.rpm clamd-0.88.6-1.el4.rf.i386.rpm
2. start Clamav Service
/etc/rc.d/init.d/clamd start
3. update patten
freshclam
ps. dependencies rpms
curl-7.12.1-8.rhel4.i386.rpm
libidn-0.5.6-1.i386.rpm
http://dag.wieers.com/packages/clamav/
Current Clamav for CentOS
http://dag.wieers.com/packages/clamav/clamav-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamav-db-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamd-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamav-devel-0.88.6-1.el4.rf.i386.rpm
option ->
http://dag.wieers.com/packages/clamav/clamav-millter-0.88.6-1.el4.rf.i386.rpm
rpm -ivh clamav-0.88.6-1.el4.rf.i386.rpm clamav-db-0.88.6-1.el4.rf.i386.rpm \
clamav-devel-0.88.6-1.el4.rf.i386.rpm clamd-0.88.6-1.el4.rf.i386.rpm
2. start Clamav Service
/etc/rc.d/init.d/clamd start
3. update patten
freshclam
ps. dependencies rpms
curl-7.12.1-8.rhel4.i386.rpm
libidn-0.5.6-1.i386.rpm
Friday, November 17, 2006
squidGuard 檔 webmail
喜歡使用 squidGuard 的朋友
可以參考下面的範例
http://staff.avonside.school.nz/cf/squidGuard2.tar.bz2
裡面 webmail 內容如下
這個範例 可能會誤檔很多 甚至連 mail.gif 之類也會被檔掉
另外 ssl webmail 無法使用 squidGuard 阻擋 請注意
((^|//)[-_.0-9a-zA-Z/]*)mail([-_.\?+=/_0-9])
([-_./0-9])mail
((^|//)[-_.0-9a-zA-Z/]*)pop3([-_.\?+=/_0-9])
([-_./0-9])pop3
((^|//)[-_.0-9a-zA-Z/]*)mailer([-_.\?+=/_0-9])
([-_./09])mailer
((^|//)[-_.0-9a-zA-Z/]*)freemail([-_.\?+=/_0-9])
([-_./0-9])freemail
((^||//)[-_.0-9a-zA-Z/]*)webmail([-_.\?+=/_0-9])
([-_./0-9])webmail
((^|//)[-_.0-9a-zA-Z/]*)email([-_.\?+=/_0-9])
([-_./0-9])email
login\.asp$
message\.cgi$
^217\.72\.193
^213\.165\.64
(pop3web|pop2web|pop2http|pop3http)
--------------------------------------------------
可以參考下面的範例
http://staff.avonside.school.nz/cf/squidGuard2.tar.bz2
裡面 webmail 內容如下
這個範例 可能會誤檔很多 甚至連 mail.gif 之類也會被檔掉
另外 ssl webmail 無法使用 squidGuard 阻擋 請注意
((^|//)[-_.0-9a-zA-Z/]*)mail([-_.\?+=/_0-9])
([-_./0-9])mail
((^|//)[-_.0-9a-zA-Z/]*)pop3([-_.\?+=/_0-9])
([-_./0-9])pop3
((^|//)[-_.0-9a-zA-Z/]*)mailer([-_.\?+=/_0-9])
([-_./09])mailer
((^|//)[-_.0-9a-zA-Z/]*)freemail([-_.\?+=/_0-9])
([-_./0-9])freemail
((^||//)[-_.0-9a-zA-Z/]*)webmail([-_.\?+=/_0-9])
([-_./0-9])webmail
((^|//)[-_.0-9a-zA-Z/]*)email([-_.\?+=/_0-9])
([-_./0-9])email
login\.asp$
message\.cgi$
^217\.72\.193
^213\.165\.64
(pop3web|pop2web|pop2http|pop3http)
--------------------------------------------------
[野人獻曝] squid block webmail exmaple - squid.conf
squid.conf
acl PASSWORD proxy_auth REQUIRED
acl GrpWebAccess external NT_global_group "/etc/squid/usergroup"
## block webmail
# 0. define non webmail sites which cotain some characteristics of webmail urls
acl goodsites dstdomain "/etc/squid/goodsites"
# 1. block domain contain mail
# http://*mail*.*/ or http://*.mail.*.*
acl webmail_domain url_regex -i ^.*mail\.*\./*
# 2. blcok webmail urlpath contain mail program
# ex. http://xxx.xxx.xxx/*mail*/
#acl webmail_urlpath urlpath_regex -i (/mail/|/.*mail/|/mail)$
# ex. http://xxx.xxx.xxx/*mail*(index|login|login/)
acl webmail_urlpath urlpath_regex -i mail.*(index|login|login/)$
# ex. http://xxx.xxx.xxx/..mail..(index|login).(asp|cgi|do|html?|jhtml|jsp|nsf|perl|php|pl|shtml|woa|?)
acl webmail_urlpath urlpath_regex -i mail.*(index|login)\.(asp|cgi|do|html\?|jhtml|jsp|nsf|perl|php|pl|shtml|woa|\?)
# for Horde imp -> http://../imp, http://../horde/imp, http://../horde/imp/login.php
# /imp maybe match other sites, we dont use
acl webmail_urlpath urlpath_regex -i [a-zA-Z0-9]/horde/imp
# for SquirrelMail -> http://../imp, http://../imp/src, http://../imp/src/login.php
acl webmail_urlpath urlpath_regex -i [a-zA-Z0-9]/imp/src[a-zA-Z0-9]
# combind Horde & SquirrelMail -> http://../imp/login.php
acl webmail_urlpath urlpath_regex -i ^.*/imp.*login\.php$
acl webmail_urlpath urlpath_regex -i ^.*/imp.*login\.php\?
# for MAC webmail
acl webmail_urlpath urlpath_regex -i webmail\.woa
3. block other ssl webmail domain
#acl sslwebmail url_regex -i "/etc/squid/sslwebmail"
http_access allow goodsites PASSWORD GrpWebAccess
http_access allow connect goodsites PASSWORD GrpWebAccess
http_access deny webmail_domain
http_access deny connect webmail_domain
http_access deny webmail_urlpath
deny_info ERR_WEBMAIL_ACCESS_DENIED webmail_domain
deny_info ERR_WEBMAIL_ACCESS_DENIED webmail_urlpath
這是我在公司為了檔 webmail 所寫的
大概可以檔掉不少網站 雖然會誤掉一些網站
但可以省下很多買 SurfControl 等之類的東西
這是我在公司為了檔 webmail 所寫的
大概可以檔掉不少網站 雖然會誤掉一些網站
但可以省下很多買 SurfControl 等之類的東西
大概說明一下
我是把 domain 和 url path 分開 block
另外 使用 ssl 的 webmail 需要另外 block
因為ssl 的網站對 proxy 來說 他只看到目的地 domain 不無法看到 url
而且 block ssl 的 webmail 要用 deny connect 喔
所以這也是為什麼會把 domain 和 url 分開 block
不想檔的網站就放在 goodsite 裡面
另外 regex 我不太會寫 寫的不好 請指教
也順便幫我改一下 謝謝
acl PASSWORD proxy_auth REQUIRED
acl GrpWebAccess external NT_global_group "/etc/squid/usergroup"
## block webmail
# 0. define non webmail sites which cotain some characteristics of webmail urls
acl goodsites dstdomain "/etc/squid/goodsites"
# 1. block domain contain mail
# http://*mail*.*/ or http://*.mail.*.*
acl webmail_domain url_regex -i ^.*mail\.*\./*
# 2. blcok webmail urlpath contain mail program
# ex. http://xxx.xxx.xxx/*mail*/
#acl webmail_urlpath urlpath_regex -i (/mail/|/.*mail/|/mail)$
# ex. http://xxx.xxx.xxx/*mail*(index|login|login/)
acl webmail_urlpath urlpath_regex -i mail.*(index|login|login/)$
# ex. http://xxx.xxx.xxx/..mail..(index|login).(asp|cgi|do|html?|jhtml|jsp|nsf|perl|php|pl|shtml|woa|?)
acl webmail_urlpath urlpath_regex -i mail.*(index|login)\.(asp|cgi|do|html\?|jhtml|jsp|nsf|perl|php|pl|shtml|woa|\?)
# for Horde imp -> http://../imp, http://../horde/imp, http://../horde/imp/login.php
# /imp maybe match other sites, we dont use
acl webmail_urlpath urlpath_regex -i [a-zA-Z0-9]/horde/imp
# for SquirrelMail -> http://../imp, http://../imp/src, http://../imp/src/login.php
acl webmail_urlpath urlpath_regex -i [a-zA-Z0-9]/imp/src[a-zA-Z0-9]
# combind Horde & SquirrelMail -> http://../imp/login.php
acl webmail_urlpath urlpath_regex -i ^.*/imp.*login\.php$
acl webmail_urlpath urlpath_regex -i ^.*/imp.*login\.php\?
# for MAC webmail
acl webmail_urlpath urlpath_regex -i webmail\.woa
3. block other ssl webmail domain
#acl sslwebmail url_regex -i "/etc/squid/sslwebmail"
http_access allow goodsites PASSWORD GrpWebAccess
http_access allow connect goodsites PASSWORD GrpWebAccess
http_access deny webmail_domain
http_access deny connect webmail_domain
http_access deny webmail_urlpath
deny_info ERR_WEBMAIL_ACCESS_DENIED webmail_domain
deny_info ERR_WEBMAIL_ACCESS_DENIED webmail_urlpath
這是我在公司為了檔 webmail 所寫的
大概可以檔掉不少網站 雖然會誤掉一些網站
但可以省下很多買 SurfControl 等之類的東西
這是我在公司為了檔 webmail 所寫的
大概可以檔掉不少網站 雖然會誤掉一些網站
但可以省下很多買 SurfControl 等之類的東西
大概說明一下
我是把 domain 和 url path 分開 block
另外 使用 ssl 的 webmail 需要另外 block
因為ssl 的網站對 proxy 來說 他只看到目的地 domain 不無法看到 url
而且 block ssl 的 webmail 要用 deny connect 喔
所以這也是為什麼會把 domain 和 url 分開 block
不想檔的網站就放在 goodsite 裡面
另外 regex 我不太會寫 寫的不好 請指教
也順便幫我改一下 謝謝
Sunday, July 30, 2006
Tuesday, July 18, 2006
procmail msql
http://pank.org/blog/archives/000882.html
http://mt.freebsd.org.hk/archives/000029.html
http://mt.freebsd.org.hk/archives/000029.html
Monday, July 17, 2006
php mail2db
#!/usr/local/bin/php -q
$fd = fopen("php://stdin","r");
while (!feof($fd)) {
$data = fgets($fd, 4096);
if ( eregi("^From:",$data) ) {
$email = eregi_replace( "From: ", "", $data);
$email = str_replace ("\n", "", "$email");
}
if ( eregi("^Subject:",$data) ) {
$subject = eregi_replace( "Subject: ", "", $data);
$subject = str_replace ("\n", "", "$subject");
}
if ( eregi("^Reply-To:",$data) ) {
$replyto = eregi_replace( "Reply-To: ", "", $data);
$replyto = str_replace ("\n", "", "$replyto");
}
if ( eregi("^To:",$data) ) {
$autoresponder = eregi_replace( "To: ", "", $data);
$autoresponder = eregi_replace( "<", "", $autoresponder); $autoresponder = eregi_replace( ">", "", $autoresponder);
$autoresponders = strstr($autoresponder, "@");
$id = str_replace ("$autoresponders", "", "$autoresponder");
}
$testdata = "$testdata$data";
}
fclose ($fd);
Sunday, July 09, 2006
二孔插座的火線與地線
一般家庭的電源插座為二孔,且有可能插座上的標示是錯的,
一般水線的洞比較大,火線的洞比較小,
但因為施工單位有時不會注意施工品質而亂放
不知道是火線還是地線,去買驗電筆來測
使用方式:手碰驗點筆"最末端的金屬",
前端插入插座內驗電筆會發光表示那個是火線(有電),
另一個則是地線了~~
一般水線的洞比較大,火線的洞比較小,
但因為施工單位有時不會注意施工品質而亂放
不知道是火線還是地線,去買驗電筆來測
使用方式:手碰驗點筆"最末端的金屬",
前端插入插座內驗電筆會發光表示那個是火線(有電),
另一個則是地線了~~
Subscribe to:
Posts (Atom)
