Постигла меня беда с прозрачной авторизацией пользователей. Не работает NTLM аутентификация.
Притом на Freebsd 8.1 все замечательно работало.
Немного о себе:
Код: Выделить всё
FreeBSD out 10.1-RELEASE-p14 FreeBSD 10.1-RELEASE-p14 #0 r284256M: Sat Jul 4 15:03:13 MSK 2015 Admin@out:/usr/obj/usr/src/sys/main_kernell.2015-04-07 amd64
Код: Выделить всё
===> The following configuration options are available for samba42-4.2.2_1:
ACL_SUPPORT=on: File system ACL support
ADS=on: Active Directory client support
AD_DC=on: Active Directory Domain Controller support
AIO_SUPPORT=on: Asyncronous IO support
CUPS=off: CUPS printing system support
DEBUG=off: With debug information in the binaries
DEVELOPER=off: With development support
DNSUPDATE=on: Dynamic DNS update (require ADS)
DOCS=on: Build and/or install documentation
EXP_MODULES=off: Experimental modules
FAM=on: File Alteration Monitor support
LDAP=on: LDAP client support
MANPAGES=on: Build manpages from DOCBOOK templates
PAM_SMBPASS=on: PAM authentication via passdb backends
PTHREADPOOL=on: Pthread pool
QUOTAS=on: Disk quota support
SYSLOG=on: Syslog logging support
UTMP=on: UTMP accounting support
====> Options available for the radio DNS: you can only select none or one of them
NSUPDATE=off: Use samba NSUPDATE utility for AD DC
BIND99=off: Use bind99 as AD DC DNS server frontend
BIND910=off: Use bind910 as AD DC DNS server frontend
====> Options available for the radio ZEROCONF: you can only select none or one of them
AVAHI=off: Zeroconf support via Avahi
MDNSRESPONDER=off: Zeroconf support via mDNSResponder
Код: Выделить всё
===> The following configuration options are available for squid-3.5.5:
ARP_ACL=off: ARP/MAC/EUI based authentification
AUTH_LDAP=on: Install LDAP authentication helpers
AUTH_NIS=on: Install NIS/YP authentication helpers
AUTH_SASL=on: Install SASL authentication helpers
AUTH_SMB=on: Install SMB auth. helpers (req. Samba)
AUTH_SQL=on: Install SQL based auth (uses MySQL)
CACHE_DIGESTS=on: Use cache digests
DEBUG=off: Build with extended debugging support
DELAY_POOLS=on: Delay pools (bandwidth limiting)
DOCS=on: Build and/or install documentation
ECAP=off: Loadable content adaptation modules
ESI=off: ESI support
EXAMPLES=on: Build and/or install examples
FOLLOW_XFF=off: Support for the X-Following-For header
FS_AUFS=on: AUFS (threaded-io) support
FS_DISKD=on: DISKD storage engine controlled by separate service
FS_ROCK=off: ROCK storage engine
HTCP=on: HTCP support
ICAP=off: the ICAP client
ICMP=on: ICMP pinging and network measurement
IDENT=on: Ident lookups (RFC 931)
IPV6=on: IPv6 protocol support
KQUEUE=on: Kqueue(2) support
LARGEFILE=on: Support large (>2GB) cache and log files
LAX_HTTP=off: Do not enforce strict HTTP compliance
NETTLE=off: Nettle MD5 algorithm support
SNMP=on: SNMP support
SSL=off: SSL gatewaying support
SSL_CRTD=off: Use ssl_crtd to handle SSL cert requests
STACKTRACES=off: Enable automatic backtraces on fatal errors
TP_IPF=off: Transparent proxying with IPFilter
TP_IPFW=on: Transparent proxying with IPFW
TP_PF=off: Transparent proxying with PF
VIA_DB=off: Forward/Via database
WCCP=on: Web Cache Coordination Protocol
WCCPV2=on: Web Cache Coordination Protocol v2
====> Install Kerberos authentication helpers: you have to select exactly one of them
GSSAPI_NONE=off: Build without Kerberos support
GSSAPI_BASE=on: Build with Kerberos support from base
GSSAPI_HEIMDAL=off: Build with Kerberos support from security/heimdal
GSSAPI_MIT=off: Build with Kerberos support from security/krb5
Код: Выделить всё
out# grep -v "#" /usr/local/etc/smb4.conf
[global]
netbios name = out
workgroup = AC-CONSTRUCTION
server string = out
security = ADS
hosts allow = 192.168.0. 192.168.1. 127.
log file = /var/log/samba4/log.%m
max log size = 50
password server = 192.168.0.2
realm = MYDOMAIN.LOCAL
dns proxy = no
unix charset = koi8-r
dos charset = cp866
winbind use default domain = yes
winbind uid = 10000-15000
winbind gid = 10000-15000
winbind enum users = yes
winbind enum groups = yes
local master = no
domain master = no
interfaces = 192.168.0.10/23
winbind offline logon = true
Код: Выделить всё
[libdefaults]
default_realm = MYDOMAIN.LOCAL
forwardable = yes
ticket_lifetime = 24h
dns_lookup_kdc = no
dns_lookup_realm = no
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MYDOMAIN.LOCAL = {
kdc = 192.168.0.2
kdc = 192.168.0.3
admin_server = 192.168.0.2
admin_server = 192.168.0.3
default_domain = MYDOMAIN.LOCAL
}
[domain_realms]
.mydomain = MYDOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = SYSLOG:ERR:AUTH
Код: Выделить всё
auth_param ntlm program /usr/local/bin/ntlm_auth -d --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 70
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 70
auth_param basic realm My proxy server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
cachemgr_passwd pass123
http_access allow manager localhost
http_access deny manager
redirector_access deny localhost
http_port 3128
acl auth proxy_auth REQUIRED
acl _sams_4e68b0ffc1965 proxy_auth "/usr/local/etc/squid/4e68b0ffc1965.sams"
acl _sams_4e68b0ffc1965_time time MTWHFAS 00:00-23:59
acl _sams_4ecf796e14814 proxy_auth "/usr/local/etc/squid/4ecf796e14814.sams"
acl _sams_4ecf796e14814_time time MTWHFAS 00:00-23:59
acl _sams_4f1538f5885e7 proxy_auth "/usr/local/etc/squid/4f1538f5885e7.sams"
acl _sams_4f1538f5885e7_time time MTWHFAS 00:00-23:59
acl _sams_4ffd2767350e0 proxy_auth "/usr/local/etc/squid/4ffd2767350e0.sams"
acl _sams_4ffd2767350e0_time time MTWHFAS 00:00-23:59
acl _sams_53e0c53e03eeb proxy_auth "/usr/local/etc/squid/53e0c53e03eeb.sams"
acl _sams_53e0c53e03eeb_time time MTWHFAS 00:00-23:59
acl _sams_4e68b02875c9c proxy_auth "/usr/local/etc/squid/4e68b02875c9c.sams"
acl _sams_4e68b02875c9c_time time MTWHFAS 00:00-23:59
acl _sams_4d89dfb50c51e proxy_auth "/usr/local/etc/squid/4d89dfb50c51e.sams"
acl _sams_4d89dfb50c51e_time time MTWHFAS 00:00-23:59
acl _sams_4d889adfca190 proxy_auth "/usr/local/etc/squid/4d889adfca190.sams"
acl _sams_4d889adfca190_time time MTWHFAS 00:00-23:59
acl _sams_4d883ebc51e5f proxy_auth "/usr/local/etc/squid/4d883ebc51e5f.sams"
acl _sams_4d883ebc51e5f_time time MTWHFAS 00:00-23:59
acl _sams_4d592b7f6e869 proxy_auth "/usr/local/etc/squid/4d592b7f6e869.sams"
acl _sams_4d592b7f6e869_time time MTWHFAS 00:00-23:59
acl _sams_4d7dc9e5697b3 proxy_auth "/usr/local/etc/squid/4d7dc9e5697b3.sams"
acl _sams_4d7dc9e5697b3_time time MTWHFAS 00:00-23:59
acl _sams_4d7dc9f3524a9 proxy_auth "/usr/local/etc/squid/4d7dc9f3524a9.sams"
acl _sams_4d7dc9f3524a9_time time MTWHFAS 00:00-23:59
acl _sams_4d7dca0999f4e proxy_auth "/usr/local/etc/squid/4d7dca0999f4e.sams"
acl _sams_4d7dca0999f4e_time time MTWHFAS 00:00-23:59
acl _sams_4d7dca1885834 proxy_auth "/usr/local/etc/squid/4d7dca1885834.sams"
acl _sams_4d7dca1885834_time time MTWHFAS 00:00-23:59
acl _sams_4d7dca71be2bb proxy_auth "/usr/local/etc/squid/4d7dca71be2bb.sams"
acl _sams_4d7dca71be2bb_time time MTWHFAS 00:00-23:59
acl _sams_4efafc004dc02 urlpath_regex -i "/usr/local/etc/squid/4efafc004dc02.sams"
acl _sams_4efafc2f13b88 urlpath_regex -i "/usr/local/etc/squid/4efafc2f13b88.sams"
redirect_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf
url_rewrite_children 5
access_log /usr/squid/squid/logs/access.log squid
cache_log /usr/squid/squid/logs/cache.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
netdb_filename /usr/squid/squid/logs/netdb.state
acl post method POST
acl Safe_ports port 491
acl Safe_ports port 443
http_access allow auth
http_access allow _sams_4e68b0ffc1965 _sams_4e68b0ffc1965_time
http_access allow _sams_4ecf796e14814 _sams_4ecf796e14814_time
http_access allow _sams_4f1538f5885e7 _sams_4f1538f5885e7_time
http_access allow _sams_4ffd2767350e0 _sams_4ffd2767350e0_time
http_access allow _sams_53e0c53e03eeb !_sams_4efafc004dc02 !_sams_4efafc2f13b88 _sams_53e0c53e03eeb_time
http_access allow _sams_4e68b02875c9c _sams_4e68b02875c9c_time
http_access allow _sams_4d89dfb50c51e _sams_4d89dfb50c51e_time
http_access allow _sams_4d889adfca190 _sams_4d889adfca190_time
http_access allow _sams_4d883ebc51e5f _sams_4d883ebc51e5f_time
http_access allow _sams_4d592b7f6e869 _sams_4d592b7f6e869_time
http_access allow _sams_4d7dc9e5697b3 _sams_4d7dc9e5697b3_time
http_access allow _sams_4d7dc9f3524a9 _sams_4d7dc9f3524a9_time
http_access allow _sams_4d7dca0999f4e _sams_4d7dca0999f4e_time
http_access allow _sams_4d7dca1885834 _sams_4d7dca1885834_time
http_access allow _sams_4d7dca71be2bb _sams_4d7dca71be2bb_time
http_access deny all
Код: Выделить всё
2015/07/06 08:21:25 kid1| Logfile: opening log /usr/squid/squid/logs/access.log
2015/07/06 08:21:25 kid1| WARNING: log name now starts with a module name. Use 'stdio:/usr/squid/squid/logs/access.log'
2015/07/06 08:21:25 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2015/07/06 08:21:25 kid1| Store logging disabled
2015/07/06 08:21:25 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2015/07/06 08:21:25 kid1| Target number of buckets: 1008
2015/07/06 08:21:25 kid1| Using 8192 Store buckets
2015/07/06 08:21:25 kid1| Max Mem size: 262144 KB
2015/07/06 08:21:25 kid1| Max Swap size: 0 KB
2015/07/06 08:21:25 kid1| Using Least Load store dir selection
2015/07/06 08:21:25 kid1| Current Directory is /var/squid
2015/07/06 08:21:25 kid1| Finished loading MIME types and icons.
2015/07/06 08:21:25 kid1| HTCP Disabled.
2015/07/06 08:21:25 kid1| Pinger socket opened on FD 12
2015/07/06 08:21:25 kid1| NETDB state reloaded; 17 entries, 0 msec
2015/07/06 08:21:25 kid1| Squid plugin modules loaded: 0
2015/07/06 08:21:25 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 10 flags=9
2015/07/06 08:21:25| pinger: Initialising ICMP pinger ...
2015/07/06 08:21:25| pinger: ICMP socket opened.
2015/07/06 08:21:25| pinger: ICMPv6 socket opened
2015/07/06 08:21:25 kid1| Starting new ntlmauthenticator helpers...
2015/07/06 08:21:25 kid1| helperOpenServers: Starting 1/70 'ntlm_auth' processes
2015/07/06 08:21:25 kid1| Starting new ntlmauthenticator helpers...
2015/07/06 08:21:25 kid1| helperOpenServers: Starting 1/70 'ntlm_auth' processes
2015/07/06 08:21:25 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:25 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:25 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| storeLateRelease: released 0 objects
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:27 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:27 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:33 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
Код: Выделить всё
1436162004.492 0 192.168.0.9 TCP_DENIED/407 4063 CONNECT api.skype:443 - HIER_NONE/- text/htm
Код: Выделить всё
# file: /var/db/samba4/winbindd_privileged
# owner: root
# group: squid
user::rwx
group::r-x
other::---
Код: Выделить всё
список пользователей
Отправлено спустя 25 минут 36 секунд:
Код: Выделить всё
wbinfo -a MYDOMAIN\\user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded