Дело такое. Не получается настроить ntlm аутентификацию доменных пользователей на прокси. Всегда в любом браузере выскакивает окно с запросом логина/пароля. При basic все работает нормально.
Перепробовал много чего, ничего не помогает.
Мои конфиги:
/etc/samba/smb.conf
[global]
workgroup = MYDOM
realm = MYDOM.COM
server string = PROXY
log file = /var/log/samba/log.%m
max log size = 50
log level = 0 winbind:9
security = ads
encrypt passwords = true
domain master = No
local master = No
preferred master = no
os level = 0
domain logons = no
max log size = 1000
load printers = No
log level = 0 winbind:4
show add printer wizard = No
idmap config * : range = 10000-20000
idmap config * : backend = tdb
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = yes
winbind refresh tickets = yes
inherit acls = Yes
inherit owner = Yes
case sensitive = No
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krbkdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = MYDOM.COM
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYDOM.COM = {
kdc = adc
kdc = bdc
admin_server = adc
default_domain = MYDOM.COM
}
[domain_realm]
.mydom.com = MYDOM.COM
mydom.com = MYDOM.COM
[login]
krb4_convert = false
krb4_get_tickets = false
/etc/squid3/squid3.conf
forwarded_for off
http_port 3128
cache_effective_user proxy
cache_effective_group proxy
#cache
cache_mem 512 MB
maximum_object_size 5 MB
cache_dir aufs /var/spool/squid3 20000 32 256
#logs
access_log /var/log/squid3/access.log squid
cache_store_log /var/log/squid3/cache.log
acl manager proto cache_object
#no cache
hierarchy_stoplist cgi-bin ?
acl NoCache urlpath_regex cgi-bin \?
cache deny NoCache
#refresh
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#auth
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=9 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 4
auth_param basic credentialsttl 2 hour
authenticate_cache_garbage_interval 1 hour
external_acl_type nt_group ttl=120 %LOGIN /usr/lib/squid3/wbinfo_group.pl
#acl по пользователям
acl InetFullAccess external nt_group MYDOM\InetFullAccess
acl MYDOM proxy_auth REQUIRED
acl CONNECT method CONNECT
# acl по портам
acl SSL_ports port 443 563
acl safe_ports port 80 # http
acl safe_ports port 21 # ftp
acl safe_ports port 443 # ssl
acl safe_ports port 110 # pop3
acl ICQ_ports port 5190 443 # ICQ
###ДОСТУП###
http_access allow manager localhost
http_access deny manager
http_access allow MYDOM allow_all
# Разрешаем доступ InetFullAccess пользователям без ограничений
http_access allow InetFullAccess all
#########
http_access deny deny_domains
http_access deny CONNECT !SSL_ports
http_access deny !safe_ports
http_access deny all
wbinfo -t
wbinfo -p
Говорят, что все хорошо.
wbinfo -u
wbinfo -g
Выдают нужные списки
проверка пользователя из командной строки /usr/bin/ntlm_auth тоже проходит успешо
Тема: Squid + ntlm (Прочитано 603 раз)
