Итак, всем здравствуйте
стоит задача - подружить сквид с доменом 2012r2 (в домене сделал две группы internet-admin/internet-users)
ставлю по этому мануалу
https://blog.it-kb.ru/2014/06/26/forward-proxy-squid-3-3-on-ubuntu-server-14-04-lts-part-5-squid-conf-settings-for-kerberos-ntlm-basic-and-access-rules/далее по порядку
Что есть?
Ubuntu
Linux S76-PROXY 3.19.0-61-generic #69~14.04.1-Ubuntu SMP Thu Jun 9 09:09:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
сам сквид
Squid Cache: Version 3.3.8
(Ubuntu)
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
root@
Самба
root@S76-PROXY:/etc/squid3# samba -V
Version 4.3.9-Ubuntu
Что сделал?
На контроллере домена сделал кейтаб Файл настроил krb5.conf
[libdefaults]
default_realm = YAR.LOCAL
default_keytab_name = /etc/squid3/squid3.keytab
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
YAR.LOCAL = {
kdc = s76dc01.yar.local
kdc = s76dc02.yar.local
admin_server = s76dc01.yarvet.local
default_domain = YAR.LOCAL
}
[domain_realm]
.yar.local = YAR.LOCAL
yar.local = YAR.LOCAL
[login]
krb4_convert = false
krb4_get_tickets = false
При выполнении команды kinit -kV -p HTTP/s76-proxy билет получаю без ошибок (все огонь)
конфиг самбы прилагается
netbios name = s76-proxy
workgroup = YAR
realm = YAR.LOCAL
security = ADS
encrypt passwords = yes
# Просто важные
dns proxy = no
socket options = TCP_NODELAY
interfaces = 10.42.60.0/24
bind interfaces only = yes
domain master = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
idmap config * : range = 10000-20000
idmap config * : backend = tdb
idmap config YAR:backend = rid
idmap config YAR:range = 10000-20000
winbind nss info = rfc2307
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template shell = /bin/bash
Wbinfo работает отлично к домену машина присоединилась без ошибок
далее переходим к конфигу сквида
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/s76-proxy@YAR.LOCAL
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -P -R -b "DC=yar,DC=local" -D test@yar.local -W /etc/squid3/pass_ldap.conf -f sAMAccountName=%s -h s76dc01.yarvet.local
auth_param basic children 20
auth_param basic realm "SQUID Proxy Server Basic authentication!"
auth_param basic credentialsttl 2 hours
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#
# LDAP authorization
external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -b "dc=yar,dc=local" -D test@yar.local -W /etc/squid3/pass_ldap.conf -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=squid3_groups,OU=Groups,OU=Yar,DC=yar,DC=local))" -h s76dc01.yar.local
acl auth proxy_auth REQUIRED
acl internet-adm external memberof "/etc/squid3/internet-admin.txt"
acl internet-us external memberof "/etc/squid3/internet-users.txt"
acl localnet src 10.42.60.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow internet-adm
http_access deny internet-us
http_access deny all
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
#
http_port 10.42.60.23:3128
http_port 127.0.0.1:3128
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#
hierarchy_stoplist cgi-bin ?
forward_max_tries 25
# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
#
#
access_log daemon:/var/log/squid3/access.log
# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
#
cache_log /var/log/squid3/cache.log
coredump_dir /var/spool/squid3
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
#
cache_mgr ne@pochta.ru
httpd_suppress_version_string on
visible_hostname lyly
# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------
#
error_directory /usr/share/squid3/errors/ru
error_default_language ru
# DNS OPTIONS
# -----------------------------------------------------------------------------
#
dns_v4_first on
# MISCELLANEOUS
# -----------------------------------------------------------------------------
#
forwarded_for delete
cachemgr_passwd StrOnG_PaZsZw0rD all
#
#
далее в браузере прописываю полное имя прокси (s76-proxy.yar.local) и начинают валится вот такие лшибки
ay provide more information. '
2016/07/11 18:03:39| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:39| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:39| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:39| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:39| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:40| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:40| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:40| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:47| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:48| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
2016/07/11 18:03:55| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
ext_ldap_group_acl: WARNING: LDAP search error 'Can't contact LDAP server'
ext_ldap_group_acl: WARNING: LDAP search error 'Can't contact LDAP server'
при этом окно авторизации не исчезает
ЗЫ линуксом только начал заниматься, поэтому сильно не пинайте
очень надеюсь на вашу помощь бьюсь уже 2 неделю с ним то одно то другое отвалится