If you have not the AD on your network see how to implement the link: Installing Active Directory on Windows Server 2008 R2 Enterprise
Environment used:
Proxy server:
CentOS 6.3 x86_64
IP: 10.106.0.252
Microsoft Active Directory server:
Windows Server 2008 R2 Enterprise
IP: 10.106.0.250
Domain: tidahora.com.br
How we are performing only by testing the implementation, we will create some groups in AD.
Nothing prevents you already use the existing groups in your AD server.
The beauty of creating groups is again set the users' control correctly.
Groups that need to be created in AD.
| Group Name | Users |
|---|---|
| internet-ti | User Sector IT |
| internet-board | User Sector Board |
| internet-trading | User Sector Commercial |
| Internet-financial | User Sector Financial |
1 Adjusting the server
Set your server with the following script elaborated in Article: Script to Set initial settings on CentOS .
With the script we will update some packages required to use the server, update repositories, bash, etc.
Download the file and change its extension as follows:
With the script we will update some packages required to use the server, update repositories, bash, etc.
Download the file and change its extension as follows:
yum install wget -y wget http: // tidahora.com.br / files / scripts / centos.txt mv centos.txt centos.sh chmod + x centos.sh . / Centos.sh
2 Installing the required packages.
yum install squid -y samba samba-client samba-common samba-winbind pam_krb5
3 Setting the startup programs
Now let's adjust the programs to boot with the boot.
chkconfig squid on chkconfig smb on chkconfig nmb on chkconfig winbind on
4 Configuring Name Resolution
The next step is to adjust the /etc/resolv.conf to the IP of AD server.
Before we make a backup of the original file.
Set the system time.
Before we make a backup of the original file.
-Rfa cp / etc / resolv.conf {,} .bkp
Editing ... vi / etc / resolv.conf
search tidahora.com.br nameserver 10.106.0.250Running Tests.
ping www.terra.com.br PING www.terra.com.br (200.154.56.80) 56 (84) bytes of data. 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq = 1 ttl = 54 time = 15.4 ms 64 bytes from www.terra.com.br (200.154.56.80): icmp_seq = 2 ttl = 54 time = 12.3 ms
nslookup tidahora.com.br Server: 10.106.0.250 Address: 10.106.0.250 # 53 Name: tidahora.com.br Address: 10.106.0.250If not the 'nslookup' install bind-utils package.
Set the system time.
ntpdate ntp.usp.br -u
Configuring a Kerberos 5
The next step is to configure Kerberos.
Let's start by making a backup of the configuration file.
Let's start by making a backup of the configuration file.
-Rfa cp / etc / krb5.conf {,} .bkp
Now edit the file. vim / etc / krb5.conf
- krb5.conf
[Libdefaults] default_realm = TIDAHORA.COM.BR krb4_config = / etc / krb.conf krb4_realms = / etc / krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [Realms] TIDAHORA.COM.BR = { kdc = 10.106.0.250 admin_server = 10.106.0.250: 749 DEFAULT_SERVER = 10.106.0.250 } [Domain_realm] .tidahora.com.br = TIDAHORA.COM.BR tidahora.com.br = TIDAHORA.COM.BR [Login] krb4_convert = true krb4_get_tickets = false [Kdc] profile = / etc / krb5kdc / kdc.conf [Appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [Logging] default = file: / var / log / krb5libs.log kdc = file: / var / log / krb5kdc.log admin_server = file: / var / log / kadmind.log
vim / etc / security / limits.conf
Enter the information below at the end of the file. root hard nofile 131072 65536 root soft nofile mioutente hard nofile 32768 mioutente soft nofile 16384
6 Adjusting the Samba ** **
As always we start with a backup of the configuration file.
Then we adjust as file below.
Then do the following, add the squid to the winbind group.
-Rfa cp / etc / samba / smb.conf {,} .bkp
Let your backed up file as file below. vim / etc / samba / smb.conf
- smb.conf
[Global] workgroup = TIDAHORA realm = TIDAHORA.COM.BR netbios name = CentOS Proxy server string = CentOS Server security = ADS auth methods = winbind password server = 10.106.0.250 socket options = TCP_NODELAY SO_RCVBUF SO_SNDBUF = 8192 = 8192 load printers = No printcap name = cups disable spoolss = Yes Local master = No domain master = No idmap uid = 10000-30000 idmap gid = 10000-30000 winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes
cp / etc / nsswitch.conf {,} .bkp
The file '/etc/nsswitch.conf' does not control where the query usernames and passwords will be performed. Then we adjust as file below.
vim / etc / nsswitch.conf
[...] passwd: files winbind shadow: files group: files winbind [...]We need to make an adjustment to the 'ntlm_auth' has the privilege of the 'winbind' to operate.
Then do the following, add the squid to the winbind group.
gpasswd -a wbpriv squid Adding user to group squid wbprivStarting services ...
/ Etc / init.d / nmb start / Etc / init.d / smb start / Etc / init.d / winbind start
7 Joining the server to Domain.
net ads join TIDAHORA.COM.BR -U administrator Enter administrator's password: # ENTER THE PASSWORD MANAGER AD. Using short domain name - TIDAHORA Joined 'CENTOS' to realm 'tidahora.com.br' DNS domain is configured in hundreds. Unable to perform DNS Update. DNS update failed!After performing the 'join' in the field, we will restart the services below.
/ Etc / init.d / smb restart / Etc / init.d / nmb restart / Etc / init.d / winbind restartLet's see if the CentOS server is communicating properly with AD.
wbinfo-t checking the trust secret for domain TIDAHORA via RPC calls succeededWith '-u wbinfo command AD users will be displayed.
# Wbinfo -u administrator guest krbtgt johnny.ferreira jose.ferreira marcia.ferreira wilson.ferreiraWith '-g wbinfo command groups from AD will be displayed.
# Wbinfo -g domain computers domain controllers scheme administrators Enterprise administrators editors certificates admins. domain domain users Domain Guests owners creators of Group Policy RAS and IAS Servers Group Allowed RODC Password Replication group RODC Password Replication Denied read-only domain controllers enterprise domain controllers read-only DnsAdmins DnsUpdateProxy internet-ti internet-board internet-trading Internet-financial
8 Configuring the Squid
The next step is to configure Squid
Backing up the configuration file.
Also setting the permission for the squid.
Here we create the file where 'IP' will not suffer blocking, ie, direct Internet access.
Widely used sites for Banks.
Can release social networks, emails, youtube, etc.
For staff who have blocked access to such sites, access is done at lunch.
Those who should not have access to internet.
Getting information about the user 'johnny.ferreira'
Starting squid.
Let's test access for the user who belongs to the financial group.
User: wilson.ferreira
Will ask for login and password.
Access to google.
Access Orkut and Youtube sites that users of the financial group has no access.
Access to banking sites.
Now let's test with a user group board that has free access to all sites.
Login: jose.ferreira
Access to News Sites.
Access to Sites of Downloads.
Squid integrated with Active Directory!
Facility for those with an AD server, it does not need to create another login and password only to access the internet.
Can also maintain control due to more organized groups in AD.
source:
http://tidahora.com.br/arquivos/scripts/centos.txt :
http://tidahora.com.br/wiki/doku.php?id=servidor_proxy_com_autenticacao_no_ad_com_centos_6.3
Backing up the configuration file.
-Rfa cp / etc / squid / squid.conf {,} .bkp
vim / etc / squid / squid.conf
- squid.conf
################################################## ########################### ## SQUID configuration file - COM Active Directory authentication ## ################################################## ########################### # DEFINE THE DOOR TO CONNECT THE SQUID http_port 3128 # DEFINE THE MAXIMUM SIZE OF AN OBJECT TO BE STORED IN CACHE maximum_object_size 4096 KB # DEFINE THE MINIMUM SIZE OF AN OBJECT TO BE STORED IN CACHE minimum_object_size 0 KB # DEFINE THE MAXIMUM SIZE OF AN OBJECT TO BE STORED IN MEMORY CACHE maximum_object_size_in_memory 64KB # DEFINE THE AMOUNT OF RAM MEMORY TO BE ALLOCATED TO CACHE cache_mem 60 MB # AMENDING THE PERFORMANCE IN PIPELINE CONNECTIONS (PARALLEL) pipeline_prefetch on # CACHE FQDN fqdncache_size 1024 # Add any of your own refresh_pattern These entries above. refresh_pattern ^ ftp: 1440 20% 10080 refresh_pattern ^ gopher: 1440 0% 1440 refresh_pattern -i (/ cgi-bin / |? \) 0 0 0% refresh_pattern. 0 20% 4320 # DEFINE A% OF CACHE cache_swap_low 90 cache_swap_high 95 # LOGS access_log / var / log / squid / access.log squid cache_log / var / log / squid / cache.log cache_store_log / var / log / squid / Store.log # DEFINE LOCAL CACHE cache_dir ufs / var / spool / squid 100 16 256 # CONTROL LOG logfile_rotate 10 # File where HOSTNAME OF STATIONS OR SERVERS hosts_file / etc / hosts # HOSTS THAT NOT require authentication acl released src "/ etc / squid / rules / released" http_access allow released # MACS RELEASED macliberado acl arp "/ etc / squid / rules / mac_liberado" http_access allow macliberado # ACL DEFAULTS SSL_ports port 443 acl acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # http MultiLing acl CONNECT method CONNECT acl localhost src 127.0.0.1 / 32 http_access allow localhost # BLOCK ACCESS PORTS UNSAFE http_access deny! Safe_ports # Deny CONNECT to other than secure SSL port http_access deny CONNECT! SSL_ports # SITES will not have CACHE acl NOCACHE url_regex "/ etc / squid / rules / direct" \? no_cache deny NOCACHE # Active Directory authentication auth_param ntlm program / usr / bin / ntlm_auth --helper-protocol = 2.5 squid- -ntlmssp auth_param ntlm children 30 auth_param basic program / usr / bin / ntlm_auth --helper-protocol = 2.5 squid- -Basic auth_param basic children 5 auth_param basic realm Squid proxy server 2 hours auth_param basic credentialsttl external_acl_type ad_group ttl = 600% LOGIN / usr / lib64 / squid / wbinfo_group.pl ################################################## ################################### # Name Group Name ACL TYPE AD # ################################################## ################################### acl internet-ti-ti ad_group external internet acl-board ad_group external internet internet-board acl-commercial external internet internet-commercial ad_group acl external internet internet-financial and financial ad_group # ACL's - Allowed - Prohibited - Other acl downloads urlpath_regex -i "/ etc / squid / rules / downloads" acl-sites released url_regex -i "/ etc / squid / rules / sites_liberados" acl-banned sites -i url_regex "/ etc / squid / rules / sites_proibidos" acl-blocked sites -i url_regex "/ etc / squid / rules / sites_bloqueados" # ACL's - GROUPS OF AD acl url_regex sites -i-ti "/ etc / squid / rules / sites_ti" url_regex sites acl-board -i "/ etc / squid / rules / sites_diretoria" acl-commercial sites url_regex -i "/ etc / squid / rules / sites_comercial" acl-financial sites url_regex -i "/ etc / squid / rules / sites_financeiro" # BLOCK USERS acl proxy_auth usuarios_bloqueados "/ etc / squid / rules / usuarios_bloqueados" # RELEASE ACCESS to Lunch acl team lunch MTWHFAS 12: 00- 13: 00 # RULE TO ENSURE authentication REQUIRED acl authenticated proxy_auth # SITES THAT MAY ACCESSED AT LUNCH # EXAMPLE (SOCIAL NETWORK, EMAIL, YOUTUBE, ETC) acl-lunch sites url_regex -i "/ etc / squid / rules / sites_almoco" # Access permissions IT AND EXECUTIVE GROUP # ACCESS RELEASED http_access allow internet-ti http_access allow internet-board # MAKES A DENIAL OF BANNED SITES # AFTER RELEASE SITES TO COMMERCIAL AND FINANCIAL GROUP http_access deny-banned sites http_access allow internet-trading http_access allow internet-financial # THE ORDER OF DEFINING ACLs http_access allow authenticated websites lunch-lunch http_access deny blocked sites- http_access deny downloads http_access deny usuarios_bloqueados http_access allow sites-ti-board sites http_access allow commercial sites-sites-financial http_access deny all http_reply_access allow all icp_access allow all miss_access allow all # NAME THAT IRA APPEAR ON THE SCREEN ERROR OR BLOCKING THE SQUID proxy.tidahora.com.br visible_hostname # DIRECTORY OF PAGES OF ERRORS error_directory / usr / share / squid / errors / en # OTHER OPTIONS OF CACHE #cache_effective_group squid cache_effective_user squid coredump_dir / var / spool / squid
Also setting the permission for the squid.
mkdir / etc / squid / rules chown-R squid: squid / etc / squid / rules /Creating rules for files that will be read by ACL's Squid.
Here we create the file where 'IP' will not suffer blocking, ie, direct Internet access.
vim / etc / squid / rules / released
- released
# LIST OF IPS will have access DIRECT INTERNET # 10.106.0.1 10.106.0.2 10.106.0.3
vim / etc / squid / rules / mac_liberado
- mac_liberado
# LIST OF MACS will have access DIRECT INTERNET # 01: ff: 01: ff: 01: ff # EXAMPLE
Widely used sites for Banks.
vim / etc / squid / rules / direct
- Direct
# LIST OF SITES THAT DO NOT CACHE # bb.com.br itau.com.br caixa.gob.br
Can release social networks, emails, youtube, etc.
For staff who have blocked access to such sites, access is done at lunch.
vim / etc / squid / rules / sites_almoco
- sites_almoco
# RELEASED LIST OF SITES IN LUNCH # facebook orkut twitter hotmail gmail yahoo globe land UOL
vim / etc / squid / rules / downloads
- downloads
# # BLOCKED list of extensions avi $ $ .bat $ .cmd com $ $ .divx $ .mp2 $ .mp3 $ .mpe $ .mpeg $ .mpg $ .mpga $ .pif $ .scr $ .spm $ .vbf $ .vob $ .vqf wav $ $ .wma $ .wmv $ .wpm
vim / etc / squid / rules / sites_liberados
- sites_liberados
# RELEASED LIST OF SITES TO ALL USERS # tidahora.com.br
vim / etc / squid / rules / sites_proibidos
- sites_proibidos
# # BANNED LIST OF SITES 041vip 4shared abused acervoamador accompanying amateur lover anal nests anus arquivonet arquivosex upturned broken into baixaki bangbus Batepapo bizarre cunt Doll bronha bruninha pussy ass buttman cabaret panties camerasex Cock caricia carlinha chantily checkip.dyndns.org suck classisex Climax clitoris cocota curitibasexo curitibastarnight cwbvip cybersex delights delicious Delirius deliriusonline EasyRoommate ebuddy ejaculates erotic eroticism rape fuck fuck fuck hurricane chickens gang-bang gangbang gata Pussycats gay getmyip.co.uk getmyip.org hot tasty homosexual hustler idealcompany juggworld lolita malice marcinha megaupload Molhadinhas morango.ig nymphet ninfetinha orgy orkut ParPerfeito partypoker penis penthouse Cock pinto playboy porno private pubshop pussy bitch bitch redtube revistabrazil sandrinha secret seductive Sensual fri sexlive sex sexxxyvideo Sexy sexyclube shemale swing talk teen trafficconverter.biz fuck transvestites tufts pussy virgen youtube ZipMail zoophilia
vim / etc / squid / rules / sites_bloqueados
- sites_bloqueados
# BLOCKED SITES FOR USERS ONLY BOARD MAY ACCESS # 4shared adorocinema afterhour altoagito altosagitos amazon American aoe aondenamoro nonpolar atleticoparanaense atleticopr atoouefeito Attractive atrativagames aumentonatural baixaki Batepapo blog blogdocebolinha blogspot blowjob bluebell bondedorole brasilviagem caiobafm caixabranca caixapreta caixapretta cartasdeamor cartoon chantily cineplayers cocemsuacasa collider comercioeletronico corinthians corinthians Coritiba corpoperfeito cowboysdoasfalto thigh coxanautas declaracaodeamor ebuddy facebook facearfacebook films filmschoolrejects fimdostempos flogao forumpcs hurricane furiajovem fusion football chickens games globo.com gonzagaaluguel Gravatar guiademulher guruweb gvt hartmannimoveis humortadela icq idols ig imoveiscuritiba imoveisportoseguro imperioalviverde investeloto jovemnerd jovempanfm jpfm jtavaresimoveis judao last.fm latinoreview lojadojardim marisa meebo meebo.com megaupload mercadolibre metal-archives meucarronovo morehate death mtv music myspace dating nokia ofuxico orkut padrereginaldomanzotti palms ParPerfeito pindavale Pontofrio portal3.casasoft portalnoivas PowerScrap radio rapidshare samsung shop ShopFácil ShopFácil ShopInvest shoppingtotal siemens socarrao sonic sony superdownload talk television Theology theological tim timmusicstore strips Tribal twitter upload.wikipedia.org videolar violence virtua Live vocoxa WebMotors webnoivas wiki wikimedia wikipedia.com.br wikipedia.org yahoo youtube ZipMail
vim / etc / squid / rules / sites_comercial
- sites_comercial
# RELEASED LIST OF SITES TO USERS OF COMMERCIAL GROUP # land UOL google globe g1
vim / etc / squid / rules / sites_ti
- sites_ti
# LIST OF SITES TO USERS OF IT GROUP # UOL technology linux windows hundreds debian repository php facebook orkut hotmail gmail google tidahora wiki
vim / etc / squid / rules / sites_financeiro
- sites_financeiro
# RELEASED LIST OF SITES TO USERS OF FINANCIAL GROUP # bradesco bb bancobrasil itau hsbc box tax ACCOUNTING nfe Invoice
Those who should not have access to internet.
vim / etc / squid / rules / usuarios_bloqueados
- usuarios_bloqueados
# LIST OF USERS BLOCKED BY ACCESSING THE INTERNET # User
-z squid
Let's check the status of an AD user and their respective group. Getting information about the user 'johnny.ferreira'
# Wbinfo---user groups = johnny.ferreira 10000 10001Now getting information about GID '10000'
# Wbinfo --gid-info = 10000 domain users: *: 10000:Obtaining information about the GID '10001'
# Wbinfo --gid-info = 10001 internet-ti: *: 10001: johnny.ferreiraIt was only a check on the user, can be performed in all AD logins.
Starting squid.
/ Etc / init.d / squid start Starting squid.: [OK]Testing the connection to the AD server.
# Wbinfo johnny.ferreira -a Enter johnny.ferreira 's password: # ENTER PASSWORD USER OF THE AD plaintext password authentication succeeded Enter johnny.ferreira 's password: # ENTER PASSWORD USER OF THE AD challenge / response password authentication succeededNow let's test the authentication service to the squid active directory.
ntlm_auth --help-protocol = 2.5 squid- -Basic --domain --username = domain = Password = User --password
Command output. ntlm_auth --help-protocol = 2.5 squid- -Basic --domain = tidahora --username = johnny.ferreira --password = Password NT_STATUS_OK: Success (0x0)Browser with proxy set, we test the settings.
Let's test access for the user who belongs to the financial group.
User: wilson.ferreira
Will ask for login and password.
Access to google.
Access Orkut and Youtube sites that users of the financial group has no access.
Access to banking sites.
Now let's test with a user group board that has free access to all sites.
Login: jose.ferreira
Access to News Sites.
Access to Sites of Downloads.
Squid integrated with Active Directory!
Facility for those with an AD server, it does not need to create another login and password only to access the internet.
Can also maintain control due to more organized groups in AD.
source:
http://tidahora.com.br/arquivos/scripts/centos.txt :
#!/bin/bash
#===============================================================================#
# NOTA DE LICENCA #
# #
# Este trabalho esta licenciado sob uma Licenca Creative Commons #
# Atribuicao: #
# Compartilhamento pela mesma Licenca 3.0 Brasil. Para ver uma copia desta #
# licenca, visite http://creativecommons.org/licenses/by/3.0/br/ #
# ou envie uma carta para Creative Commons, 171 Second Street, Suite 300, #
# San Francisco, California 94105, USA. #
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #
# Criado por: #
# Johnny Ferreira dos Santos | johnny@tidahora.com.br em 19/06/2012 #
# Ultima Alteracao: 03/04/2013 #
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #
## -- VALIDANDO USUARIO ROOT --##
USUARIO=$(whoami)
if [ "${USUARIO}" != root ]; then
echo "#-------------------------------------------------------------#"
echo "# ESTE SCRIPT PRECISA SER EXECUTADO COM USUARIO ROOT #"
echo "#-------------------------------------------------------------#"
exit
fi
## -- MENU PRINCIPAL DO SCRIPT -- ##
menu ()
{
a="ok"
while true $a !="ok"
do
VERSAO=`cat /etc/redhat-release`
echo "##---------------------------------------------------------------##"
echo " O SCRIPT ESTA VERIFICANDO QUAL SUA VERSAO DO CENTOS. . ."
echo " AGUARDE . . ."
sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo ".";
echo " VOCE ESTA UTILIZANDO = ${VERSAO}"
echo " ARQUITETURA DE HARDWARE = $(uname -m)"
echo " CONFIRME A SUA VERSAO COM O MENU ABAIXO:"
echo "##---------------------------------------------------------------## "
echo " CENTOS 6 - 32 - DIGITE '1': "
echo " CENTOS 6 - 64 - DIGITE '2': "
echo " SAIR - DIGITE '3': "
echo "##---------------------------------------------------------------## "
echo -n "DIGITE SUA OPCAO AQUI: "
read a
case $a in
3)clear;
echo "SAINDO DO SCRIPT. . .";
sleep 2; exit;
sleep 2; clear; break;;
#######################################################################
### CENTOS 6 - 32 Bits ###
1)
echo " ${VERSAO}"
## -- ALTERANDO O NOME DA MAQUINA -- ##
echo "-------------------------------------------------------"
echo " FAZENDO BACKUP DO ARQUIVO PADRAO. . ."
cp -Rfa /etc/sysconfig/network{,.bkp}
echo -n " DIGITE O NOME DESEJADO PARA O SERVIDOR: "
read nomemaquina
cat << EOF > /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=$nomemaquina
EOF
echo "-------------------------------------------------------"
sleep 2
echo "-------------------------------------------------------"
echo " AJUSTANDO O DNS NO SERVIDOR. . . "
sleep 1
cat << EOF > /etc/resolv.conf
nameserver 200.221.11.100
nameserver 200.221.11.101
EOF
echo "-------------------------------------------------------"
sleep 2
## -- DESATIVANDO AS CONFIGURACOES DE FIREWALL -- ##
echo "-------------------------------------------------------"
echo " DESABILITANDO IPTABLES E IP6TABLES. . ."
sleep 2
chkconfig --level 123456 iptables off
chkconfig --level 123456 ip6tables off
echo "-------------------------------------------------------"
sleep 2
## -- DESATIVANDO O SELINUX -- ##
echo "-------------------------------------------------------"
echo " DESATIVANDO O SELINUX. . ."
sleep 2
echo " FAZENDO BACKUP DO ARQUIVO /ETC/SELINUX/CONFIG. . ."
cp -Rfa /etc/selinux/config{,.bkp}
echo " ATUALIZANDO O ARQUIVO. . ."
cat << EOF > /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# enforcing - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
EOF
echo "-------------------------------------------------------"
sleep 2
## -- ATUALIZANDO REPOSITORIOS -- ##
echo "-------------------------------------------------------"
echo " ATUALIZANDO. . ."
yum -y update
echo " INSTALANDO REPOSITORIO RPMFORGE. . ."
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
echo " AGUARDE. . ."
sleep 2
echo " INSTALANDO REPOSITORIO EPEL. . ."
rpm -Uvh http://fedora.uib.no/epel/6/i386/epel-release-6-8.noarch.rpm
echo " AGUARDE. . ."
sleep 2
echo "-------------------------------------------------------"
## -- ATUALIZANDO YUM -- ##
echo "-------------------------------------------------------"
echo " LIMPANDO AS CONFIGURACOES DO YUM. . ."
yum clean all
sleep 2
echo " ATUALIZANDO COM REPOSITORIOS EPEL E RPMFORGE. . ."
yum -y update
sleep 2
echo "-------------------------------------------------------"
## -- INSTALANDO ALGUNS PROGRAMAS PARA USO DO SERVIDOR -- ##
echo "-------------------------------------------------------"
echo " INSTALANDO PROGRAMAS NECESSARIOS PARA ADMINISTRACAO E USO DO SERVIDOR. . ."
yum -y install htop openssh-server openssh-clients wget make nmap traceroute vim-enhanced
echo " INSTALACAO OK. . ."
echo "-------------------------------------------------------"
## -- CONFIGURANDO O BASHRC DO ROOT -- ##
echo "-------------------------------------------------------"
echo " FAZENDO BACKUP DO ARQUIVO BASHRC. . ."
cp -Rfa /root/.bashrc{,.bkp}
echo " CONFIGURANDO O PERFIL DE USUARIO ROOT. . ."
cat << EOF > /root/.bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ls='ls --color'
alias vi='vim'
export PS1='\[\033[01;31m\][\[\033[01;37m\]\t\[\033[01;31m\]] \[\033[01;32m\]\u\[\033[01;31m\]@\[\033[01;32m\]\h \[\033[01;31m\][\[\033[01;33m\]\w\[\033[01;31m\]] \[\033[01;37m\]# \[\033[00m\]'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
EOF
echo " CONFIGURADO OK. . ."
echo "-------------------------------------------------------"
sleep 2
## -- FINALIZANDO SCRIPT. . . -- ##
echo "-------------------------------------------------------"
echo " REINICIANDO SERVIDOR. . ."
sleep 3
init 6
echo "-------------------------------------------------------"
exit
;;
#######################################################################
### CENTOS 6 - 64 Bits ###
2)
echo " ${VERSAO}"
## -- ALTERANDO O NOME DA MAQUINA -- ##
echo "-------------------------------------------------------"
echo " FAZENDO BACKUP DO ARQUIVO PADRAO. . ."
cp -Rfa /etc/sysconfig/network{,.bkp}
echo -n " DIGITE O NOME DESEJADO PARA O SERVIDOR: "
read nomemaquina
cat << EOF > /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=$nomemaquina
EOF
echo "-------------------------------------------------------"
sleep 2
echo "-------------------------------------------------------"
echo " AJUSTANDO O DNS NO SERVIDOR. . . "
sleep 1
cat << EOF > /etc/resolv.conf
nameserver 200.221.11.100
nameserver 200.221.11.101
EOF
echo "-------------------------------------------------------"
sleep 2
## -- DESATIVANDO AS CONFIGURACOES DE FIREWALL -- ##
echo "-------------------------------------------------------"
echo " DESABILITANDO IPTABLES E IP6TABLES. . ."
sleep 2
chkconfig --level 123456 iptables off
chkconfig --level 123456 ip6tables off
echo "-------------------------------------------------------"
sleep 2
## -- DESATIVANDO O SELINUX -- ##
echo "-------------------------------------------------------"
echo " DESATIVANDO O SELINUX. . ."
sleep 2
echo " FAZENDO BACKUP DO ARQUIVO /ETC/SELINUX/CONFIG. . ."
cp -Rfa /etc/selinux/config{,.bkp}
echo " ATUALIZANDO O ARQUIVO. . ."
cat << EOF > /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# enforcing - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
EOF
echo "-------------------------------------------------------"
sleep 2
## -- ATUALIZANDO REPOSITORIOS -- ##
echo "-------------------------------------------------------"
echo " ATUALIZANDO. . ."
yum -y update
echo " INSTALANDO REPOSITORIO RPMFORGE. . ."
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
echo " AGUARDE. . ."
sleep 2
echo " INSTALANDO REPOSITORIO EPEL. . ."
rpm -Uvh http://fedora.uib.no/epel/6/x86_64/epel-release-6-8.noarch.rpm
echo " AGUARDE. . ."
sleep 2
echo "-------------------------------------------------------"
## -- ATUALIZANDO YUM -- ##
echo "-------------------------------------------------------"
echo " LIMPANDO AS CONFIGURACOES DO YUM. . ."
yum clean all
sleep 2
echo " ATUALIZANDO COM REPOSITORIOS EPEL E RPMFORGE. . ."
yum -y update
sleep 2
echo "-------------------------------------------------------"
## -- INSTALANDO ALGUNS PROGRAMAS PARA USO DO SERVIDOR -- ##
echo "-------------------------------------------------------"
echo " INSTALANDO PROGRAMAS NECESSARIOS PARA ADMINISTRACAO E USO DO SERVIDOR. . ."
yum -y install htop openssh-server openssh-clients wget make nmap traceroute vim-enhanced gcc gcc-c++
echo " INSTALACAO OK. . ."
echo "-------------------------------------------------------"
## -- CONFIGURANDO O BASHRC DO ROOT -- ##
echo "-------------------------------------------------------"
echo " FAZENDO BACKUP DO ARQUIVO BASHRC. . ."
cp -Rfa /root/.bashrc{,.bkp}
echo " CONFIGURANDO O PERFIL DE USUARIO ROOT. . ."
cat << EOF > /root/.bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ls='ls --color'
alias vi='vim'
export PS1='\[\033[01;31m\][\[\033[01;37m\]\t\[\033[01;31m\]] \[\033[01;32m\]\u\[\033[01;31m\]@\[\033[01;32m\]\h \[\033[01;31m\][\[\033[01;33m\]\w\[\033[01;31m\]] \[\033[01;37m\]# \[\033[00m\]'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
EOF
echo " CONFIGURADO OK. . ."
echo "-------------------------------------------------------"
sleep 2
## -- FINALIZANDO SCRIPT. . . -- ##
echo "-------------------------------------------------------"
echo " REINICIANDO SERVIDOR. . ."
sleep 3
init 6
echo "-------------------------------------------------------"
exit
;;
esac
done
}
menu
http://tidahora.com.br/wiki/doku.php?id=servidor_proxy_com_autenticacao_no_ad_com_centos_6.3
