adicione o usuário proxy ao grupo winbindd_priv.
alguns usuários estão gastando muito tempo explorando a WWW. Tão grande chefe que está para ter isso sob controle.
Nós usamos um squid3 apenas por algum motivo de segurança e benefícios chace. e agora estou tentando configurar um novo proxy em um servidor diferente (Debian 6) As permissões são definidas na AC e o squid3 deve obter a autenticação através do samba / winbind usando o protocolo ntlm.
mas eu vou ter todo o tempo Acesso, denunciado. ele só funciona usando o LDAP, mas não é assim que eu preciso.
aqui alguns log e confs
squid access.log
1326878095.784 1 192.168.15.27 TCP_DENIED/407 4049 GET http://at.msn.com/? -NONE/- text/html
1326878095.791 1 192.168.15.27 TCP_DENIED/407 4294 GET http://at.msn.com/? - NONE/- text/html
1326878095.803 9 192.168.15.27 TCP_DENIED/403 4028 GET http://at.msn.com/? kavan NONE/- text/html
1326878095.848 0 192.168.15.27 TCP_DENIED/403 3881 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878100.279 0 192.168.15.27 TCP_DENIED/403 3735 GET http://www.google.at/ kavan NONE/- text/html
1326878100.296 0 192.168.15.27 TCP_DENIED/403 3870 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878155.700 0 192.168.15.27 TCP_DENIED/407 4072 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.705 2 192.168.15.27 TCP_DENIED/407 4317 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.709 3 192.168.15.27 TCP_DENIED/403 4026 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml kavan NONE/- text/html
lula chace
2012/01/18 10:12:49| Creating Swap Directories
2012/01/18 10:12:49| Starting Squid Cache version 3.1.6 for x86_64-pc-linux-gnu...
2012/01/18 10:12:49| Process ID 17236
2012/01/18 10:12:49| With 65535 file descriptors available
2012/01/18 10:12:49| Initializing IP Cache...
2012/01/18 10:12:49| DNS Socket created at [::], FD 7
2012/01/18 10:12:49| DNS Socket created at 0.0.0.0, FD 8
2012/01/18 10:12:49| Adding nameserver 192.168.15.2 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.19 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.1 from /etc/resolv.conf
2012/01/18 10:12:49| Adding domain schoenbrunn.local from /etc/resolv.conf
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'ntlm_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_group' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| Unlinkd pipe opened on FD 73
2012/01/18 10:12:49| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/01/18 10:12:49| Store logging disabled
2012/01/18 10:12:49| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2012/01/18 10:12:49| Target number of buckets: 1008
2012/01/18 10:12:49| Using 8192 Store buckets
2012/01/18 10:12:49| Max Mem size: 262144 KB
2012/01/18 10:12:49| Max Swap size: 0 KB
2012/01/18 10:12:49| Using Least Load store dir selection
2012/01/18 10:12:49| Set Current Directory to /var/spool/squid3
2012/01/18 10:12:49| Loaded Icons.
2012/01/18 10:12:49| Accepting HTTP connections at [::]:3128, FD 74.
2012/01/18 10:12:49| HTCP Disabled.
2012/01/18 10:12:49| Squid modules loaded: 0
2012/01/18 10:12:49| Adaptation support is off.
2012/01/18 10:12:49| Ready to serve requests.
2012/01/18 10:12:50| storeLateRelease: released 0 objects
smb.conf
# Domain Authntication Settings
workgroup = <WORKGROUP>
security = ads
password server = <DOMAINNAME>.LOCAL
realm = <DOMAINNAME>.LOCAL
ldap ssl = no
# logging
log level = 5
max log size = 50
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
; max log size = 50
# User settings
username map = /etc/samba/smbusers
idmap uid = 10000-20000000
idmap gid = 10000-20000000
idmap backend = ad
; template primary group = <ad group>
template shell = /sbin/nologin
# Winbind Settings
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind netsted groups = Yes
winbind nested groups = Yes
winbind cache time = 10
winbind use default domain = Yes
#Other Globals
unix charset = LOCALE
server string = <SERVERNAME>
load printers = no
printing = cups
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --require-membership-of=<DOMAINNAME>\INTERNETZ --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<dcname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f sAMAccountName=%s -h 192.168.15.19:3268
auth_param basic realm "Proxy Authentifizierung. Bitte geben Sie Ihren Benutzername und Ihr Passwort ein!" #means insert you PW in an other language - #
external_acl_type InetGroup %LOGIN /usr/lib/squid3/squid_ldap_group -R -b "dc=<domainname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,cn=internetz,dc=<domainname>,dc=local))" -h 192.168.15.19:3268
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl localnet proxy_auth REQUIRED
acl InetAccess external InetGroup Internetz
http_access allow InetAccess
http_access deny all
acl auth proxy_auth REQUIRED
http_access allow auth
e muito suspeito é que, adicionando o servidor proxy ao Domínio, vejo duas novas entradas no PC, uma com a leopoldina de nome de computador original e outra com leopoldina CNF: f8efa4c4-ff0e-4217-939d-f1523b43464d?!?
Eu tentei muito, realmente ... mas eu fiquei preso nesse problema ... Na verdade, eu até mesmo reinstalei todos os programas dependentes e os reconfigurei do padrão.
O grupo existe e me inclui. Firefox em execução no proxy antigo e eu uso o IE para testar o novo. Mas eu vou ter todo o tempo Acesso-Denited
e, para ser honesto, sou um principiante, então, por favor, não seja puritano. Eu vou me interessar em melhorar, eu vou conseguir as informações que precisamos para consertar isso, mas eu comecei a trabalhar há 2 meses e recebi apenas 1 ano e meio de treinamento e não um único segundo. no linux;)
adicione o usuário proxy ao grupo winbindd_priv.