Добрый день. Настроил связку Squid + AD. Вродебы все работает, пользователей пускает в интернет, блокирует социальные сети, но потребовалось мне теперь добавть доступ по группам из AD. Допустим групе white из AD разрешить ходить в социалки. Настраиваю как по мануалу - и нифига не работает. Упорно требует логин и пароль... Голову ломаю уже неделю, вот решил сюда написать, может кто поможет
squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
# чтение групп из AD
external_acl_type white ttl=15 %LOGIN /usr/lib/squid3/wbinfo_group.pl
#ACL
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.10.8.0/21
acl localnet src 192.168.0.0/20
acl SSL_ports port 443
acl Safe_ports port 8080
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl CONNECT method CONNECT
# Говорим, что нужна авторизация
acl NTLM proxy_auth REQUIRED
acl block dstdomain "/etc/squid3/block.acl"
acl white external white MYDOMAIN\white
#Логи Сквида
access_log /var/log/squid/access.log
# http-access
http_access deny block !white
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
# Порт, на котором висит squid
http_port 10.10.10.125:8080
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320
# Использовать DNS v4 вначале
dns_v4_first on
cache_dir ufs /var/cache/squid 32768 16 256
cache_log /var/log/squid3/cache.log
cache_mem 2048 MB
maximum_object_size 64 KB
maximum_object_size_in_memory 16 MB
minimum_object_size 0 KB
cache_mgr admin@mydomain.net
cache_replacement_policy lru
memory_replacement_policy heap LFUDA
cache_store_log /var/log/squid3/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 hours
connect_timeout 2 minutes
error_directory /usr/share/squid3/errors/Russian-1251
ftp_passive on
По команде wbinfo -u отображает юзеров
по команде wbinfo -g отображает группы
по команде wbinfo -t говорит RPC calls succeeded
smb.conf
[global]
workgroup = MYDOMAIN
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
realm = MYDOMAIN.NET
security = ADS
template homedir = /home/%D/%U
winbind refresh tickets = yes
winbind cache time = 15
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
krb5.conf
[libdefaults]
default_realm = MYDOMAIN.NET
[realms]
MYDOMAIN.NET = {
kdc = 10.10.10.50
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.mydomain.net = MYDOMAIN.NET
nsswitch.conf
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files