squid3 auth através do samba usando ntlm para o AD não funciona

1

alguns usuários estão gastando muito tempo explorando a WWW. Tão grande chefe que está para ter isso sob controle.

Nós usamos um squid3 apenas por algum motivo de segurança e benefícios chace. e agora estou tentando configurar um novo proxy em um servidor diferente (Debian 6) As permissões são definidas na AC e o squid3 deve obter a autenticação através do samba / winbind usando o protocolo ntlm.

mas eu vou ter todo o tempo Acesso, denunciado. ele só funciona usando o LDAP, mas não é assim que eu preciso.

aqui alguns log e confs

squid access.log

1326878095.784      1 192.168.15.27 TCP_DENIED/407 4049 GET http://at.msn.com/? -NONE/- text/html
1326878095.791      1 192.168.15.27 TCP_DENIED/407 4294 GET http://at.msn.com/? - NONE/- text/html
1326878095.803      9 192.168.15.27 TCP_DENIED/403 4028 GET http://at.msn.com/? kavan NONE/- text/html
1326878095.848      0 192.168.15.27 TCP_DENIED/403 3881 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878100.279      0 192.168.15.27 TCP_DENIED/403 3735 GET http://www.google.at/ kavan NONE/- text/html
1326878100.296      0 192.168.15.27 TCP_DENIED/403 3870 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878155.700      0 192.168.15.27 TCP_DENIED/407 4072 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.705      2 192.168.15.27 TCP_DENIED/407 4317 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.709      3 192.168.15.27 TCP_DENIED/403 4026 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml kavan NONE/- text/html

lula chace

2012/01/18 10:12:49| Creating Swap Directories
2012/01/18 10:12:49| Starting Squid Cache version 3.1.6 for x86_64-pc-linux-gnu...
2012/01/18 10:12:49| Process ID 17236
2012/01/18 10:12:49| With 65535 file descriptors available
2012/01/18 10:12:49| Initializing IP Cache...
2012/01/18 10:12:49| DNS Socket created at [::], FD 7
2012/01/18 10:12:49| DNS Socket created at 0.0.0.0, FD 8
2012/01/18 10:12:49| Adding nameserver 192.168.15.2 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.19 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.1 from /etc/resolv.conf
2012/01/18 10:12:49| Adding domain schoenbrunn.local from /etc/resolv.conf
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'ntlm_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_group' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| Unlinkd pipe opened on FD 73
2012/01/18 10:12:49| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/01/18 10:12:49| Store logging disabled
2012/01/18 10:12:49| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2012/01/18 10:12:49| Target number of buckets: 1008
2012/01/18 10:12:49| Using 8192 Store buckets
2012/01/18 10:12:49| Max Mem  size: 262144 KB
2012/01/18 10:12:49| Max Swap size: 0 KB
2012/01/18 10:12:49| Using Least Load store dir selection
2012/01/18 10:12:49| Set Current Directory to /var/spool/squid3
2012/01/18 10:12:49| Loaded Icons.
2012/01/18 10:12:49| Accepting  HTTP connections at [::]:3128, FD 74.
2012/01/18 10:12:49| HTCP Disabled.
2012/01/18 10:12:49| Squid modules loaded: 0
2012/01/18 10:12:49| Adaptation support is off.
2012/01/18 10:12:49| Ready to serve requests.
2012/01/18 10:12:50| storeLateRelease: released 0 objects

smb.conf

# Domain Authntication Settings
        workgroup = <WORKGROUP>
        security = ads
        password server = <DOMAINNAME>.LOCAL
        realm = <DOMAINNAME>.LOCAL
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind cache time = 10
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <SERVERNAME>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups

squid.conf

auth_param ntlm program /usr/bin/ntlm_auth --require-membership-of=<DOMAINNAME>\INTERNETZ --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<dcname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f sAMAccountName=%s -h 192.168.15.19:3268
auth_param basic realm "Proxy Authentifizierung. Bitte geben Sie Ihren Benutzername und Ihr Passwort ein!" #means insert you PW in an other language - #
external_acl_type InetGroup %LOGIN /usr/lib/squid3/squid_ldap_group -R -b "dc=<domainname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,cn=internetz,dc=<domainname>,dc=local))" -h 192.168.15.19:3268

auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl localnet proxy_auth REQUIRED
acl InetAccess external InetGroup Internetz
http_access allow InetAccess
http_access deny all
acl auth proxy_auth REQUIRED

http_access allow auth

e muito suspeito é que, adicionando o servidor proxy ao Domínio, vejo duas novas entradas no PC, uma com a leopoldina de nome de computador original e outra com leopoldina CNF: f8efa4c4-ff0e-4217-939d-f1523b43464d?!?

Eu tentei muito, realmente ... mas eu fiquei preso nesse problema ... Na verdade, eu até mesmo reinstalei todos os programas dependentes e os reconfigurei do padrão.

O grupo existe e me inclui. Firefox em execução no proxy antigo e eu uso o IE para testar o novo. Mas eu vou ter todo o tempo Acesso-Denited

e, para ser honesto, sou um principiante, então, por favor, não seja puritano. Eu vou me interessar em melhorar, eu vou conseguir as informações que precisamos para consertar isso, mas eu comecei a trabalhar há 2 meses e recebi apenas 1 ano e meio de treinamento e não um único segundo. no linux;)

    
por Harrys Kavan 18.01.2012 / 11:31

1 resposta

1

adicione o usuário proxy ao grupo winbindd_priv.

    
por 19.06.2012 / 11:11