FreeBSD squid + sams (ntlm+basic аутентификация) + rejik

Простые/общие вопросы по UNIX системам. Спросите здесь, если вы новичок

Модераторы: vadim64, terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Аватара пользователя
Sindikat88
мл. сержант
Сообщения: 138
Зарегистрирован: 2010-09-02 15:07:54
Контактная информация:

FreeBSD squid + sams (ntlm+basic аутентификация) + rejik

Непрочитанное сообщение Sindikat88 » 2015-07-06 9:50:06

Камрады, приветствую.
Постигла меня беда с прозрачной авторизацией пользователей. Не работает NTLM аутентификация.
Притом на Freebsd 8.1 все замечательно работало.

Немного о себе:

Код: Выделить всё

FreeBSD out 10.1-RELEASE-p14 FreeBSD 10.1-RELEASE-p14 #0 r284256M: Sat Jul  4 15:03:13 MSK 2015     Admin@out:/usr/obj/usr/src/sys/main_kernell.2015-04-07  amd64	
samba собрана со следующими опциями:

Код: Выделить всё

===> The following configuration options are available for samba42-4.2.2_1:
     ACL_SUPPORT=on: File system ACL support
     ADS=on: Active Directory client support
     AD_DC=on: Active Directory Domain Controller support
     AIO_SUPPORT=on: Asyncronous IO support
     CUPS=off: CUPS printing system support
     DEBUG=off: With debug information in the binaries
     DEVELOPER=off: With development support
     DNSUPDATE=on: Dynamic DNS update (require ADS)
     DOCS=on: Build and/or install documentation
     EXP_MODULES=off: Experimental modules
     FAM=on: File Alteration Monitor support
     LDAP=on: LDAP client support
     MANPAGES=on: Build manpages from DOCBOOK templates
     PAM_SMBPASS=on: PAM authentication via passdb backends
     PTHREADPOOL=on: Pthread pool
     QUOTAS=on: Disk quota support
     SYSLOG=on: Syslog logging support
     UTMP=on: UTMP accounting support
====> Options available for the radio DNS: you can only select none or one of them
     NSUPDATE=off: Use samba NSUPDATE utility for AD DC
     BIND99=off: Use bind99 as AD DC DNS server frontend
     BIND910=off: Use bind910 as AD DC DNS server frontend
====> Options available for the radio ZEROCONF: you can only select none or one of them
     AVAHI=off: Zeroconf support via Avahi
     MDNSRESPONDER=off: Zeroconf support via mDNSResponder
Squid собран со следующими опциями:

Код: Выделить всё

===> The following configuration options are available for squid-3.5.5:
     ARP_ACL=off: ARP/MAC/EUI based authentification
     AUTH_LDAP=on: Install LDAP authentication helpers
     AUTH_NIS=on: Install NIS/YP authentication helpers
     AUTH_SASL=on: Install SASL authentication helpers
     AUTH_SMB=on: Install SMB auth. helpers (req. Samba)
     AUTH_SQL=on: Install SQL based auth (uses MySQL)
     CACHE_DIGESTS=on: Use cache digests
     DEBUG=off: Build with extended debugging support
     DELAY_POOLS=on: Delay pools (bandwidth limiting)
     DOCS=on: Build and/or install documentation
     ECAP=off: Loadable content adaptation modules
     ESI=off: ESI support
     EXAMPLES=on: Build and/or install examples
     FOLLOW_XFF=off: Support for the X-Following-For header
     FS_AUFS=on: AUFS (threaded-io) support
     FS_DISKD=on: DISKD storage engine controlled by separate service
     FS_ROCK=off: ROCK storage engine
     HTCP=on: HTCP support
     ICAP=off: the ICAP client
     ICMP=on: ICMP pinging and network measurement
     IDENT=on: Ident lookups (RFC 931)
     IPV6=on: IPv6 protocol support
     KQUEUE=on: Kqueue(2) support
     LARGEFILE=on: Support large (>2GB) cache and log files
     LAX_HTTP=off: Do not enforce strict HTTP compliance
     NETTLE=off: Nettle MD5 algorithm support
     SNMP=on: SNMP support
     SSL=off: SSL gatewaying support
     SSL_CRTD=off: Use ssl_crtd to handle SSL cert requests
     STACKTRACES=off: Enable automatic backtraces on fatal errors
     TP_IPF=off: Transparent proxying with IPFilter
     TP_IPFW=on: Transparent proxying with IPFW
     TP_PF=off: Transparent proxying with PF
     VIA_DB=off: Forward/Via database
     WCCP=on: Web Cache Coordination Protocol
     WCCPV2=on: Web Cache Coordination Protocol v2
====> Install Kerberos authentication helpers: you have to select exactly one of them
     GSSAPI_NONE=off: Build without Kerberos support
     GSSAPI_BASE=on: Build with Kerberos support from base
     GSSAPI_HEIMDAL=off: Build with Kerberos support from security/heimdal
     GSSAPI_MIT=off: Build with Kerberos support from security/krb5
Конфиг samba:

Код: Выделить всё

out# grep -v "#" /usr/local/etc/smb4.conf
[global]
   netbios name = out
   workgroup = AC-CONSTRUCTION
   server string = out
   security = ADS
   hosts allow = 192.168.0. 192.168.1. 127.
   log file = /var/log/samba4/log.%m
   max log size = 50
   password server = 192.168.0.2
   realm = MYDOMAIN.LOCAL
   dns proxy = no
   unix charset = koi8-r
   dos charset = cp866
   winbind use default domain = yes
   winbind uid = 10000-15000
   winbind gid = 10000-15000
   winbind enum users = yes
   winbind enum groups = yes
   local master = no
   domain master = no
   interfaces = 192.168.0.10/23
   winbind offline logon = true
Конфиг Kerberos

Код: Выделить всё

[libdefaults]
default_realm = MYDOMAIN.LOCAL
forwardable = yes
ticket_lifetime = 24h
dns_lookup_kdc = no
dns_lookup_realm = no
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MYDOMAIN.LOCAL = {
kdc = 192.168.0.2
kdc = 192.168.0.3
admin_server = 192.168.0.2
admin_server = 192.168.0.3
default_domain = MYDOMAIN.LOCAL
}
[domain_realms]
.mydomain = MYDOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = SYSLOG:ERR:AUTH	
Конфиг Squid:

Код: Выделить всё

auth_param ntlm program /usr/local/bin/ntlm_auth -d --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 70
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 70
auth_param basic realm My proxy server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

cachemgr_passwd pass123
http_access allow manager localhost
http_access deny manager
redirector_access deny localhost

http_port 3128

acl auth proxy_auth REQUIRED
acl _sams_4e68b0ffc1965 proxy_auth "/usr/local/etc/squid/4e68b0ffc1965.sams"
acl _sams_4e68b0ffc1965_time time MTWHFAS 00:00-23:59
acl _sams_4ecf796e14814 proxy_auth "/usr/local/etc/squid/4ecf796e14814.sams"
acl _sams_4ecf796e14814_time time MTWHFAS 00:00-23:59
acl _sams_4f1538f5885e7 proxy_auth "/usr/local/etc/squid/4f1538f5885e7.sams"
acl _sams_4f1538f5885e7_time time MTWHFAS 00:00-23:59
acl _sams_4ffd2767350e0 proxy_auth "/usr/local/etc/squid/4ffd2767350e0.sams"
acl _sams_4ffd2767350e0_time time MTWHFAS 00:00-23:59
acl _sams_53e0c53e03eeb proxy_auth "/usr/local/etc/squid/53e0c53e03eeb.sams"
acl _sams_53e0c53e03eeb_time time MTWHFAS 00:00-23:59
acl _sams_4e68b02875c9c proxy_auth "/usr/local/etc/squid/4e68b02875c9c.sams"
acl _sams_4e68b02875c9c_time time MTWHFAS 00:00-23:59
acl _sams_4d89dfb50c51e proxy_auth "/usr/local/etc/squid/4d89dfb50c51e.sams"
acl _sams_4d89dfb50c51e_time time MTWHFAS 00:00-23:59
acl _sams_4d889adfca190 proxy_auth "/usr/local/etc/squid/4d889adfca190.sams"
acl _sams_4d889adfca190_time time MTWHFAS 00:00-23:59
acl _sams_4d883ebc51e5f proxy_auth "/usr/local/etc/squid/4d883ebc51e5f.sams"
acl _sams_4d883ebc51e5f_time time MTWHFAS 00:00-23:59
acl _sams_4d592b7f6e869 proxy_auth "/usr/local/etc/squid/4d592b7f6e869.sams"
acl _sams_4d592b7f6e869_time time MTWHFAS 00:00-23:59
acl _sams_4d7dc9e5697b3 proxy_auth "/usr/local/etc/squid/4d7dc9e5697b3.sams"
acl _sams_4d7dc9e5697b3_time time MTWHFAS 00:00-23:59
acl _sams_4d7dc9f3524a9 proxy_auth "/usr/local/etc/squid/4d7dc9f3524a9.sams"
acl _sams_4d7dc9f3524a9_time time MTWHFAS 00:00-23:59
acl _sams_4d7dca0999f4e proxy_auth "/usr/local/etc/squid/4d7dca0999f4e.sams"
acl _sams_4d7dca0999f4e_time time MTWHFAS 00:00-23:59
acl _sams_4d7dca1885834 proxy_auth "/usr/local/etc/squid/4d7dca1885834.sams"
acl _sams_4d7dca1885834_time time MTWHFAS 00:00-23:59
acl _sams_4d7dca71be2bb proxy_auth "/usr/local/etc/squid/4d7dca71be2bb.sams"
acl _sams_4d7dca71be2bb_time time MTWHFAS 00:00-23:59
acl _sams_4efafc004dc02 urlpath_regex -i "/usr/local/etc/squid/4efafc004dc02.sams"
acl _sams_4efafc2f13b88 urlpath_regex -i "/usr/local/etc/squid/4efafc2f13b88.sams"

redirect_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf
url_rewrite_children 5

access_log /usr/squid/squid/logs/access.log squid

cache_log /usr/squid/squid/logs/cache.log

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

netdb_filename /usr/squid/squid/logs/netdb.state

acl post method POST
acl Safe_ports port 491
acl Safe_ports port 443

http_access allow auth
http_access allow _sams_4e68b0ffc1965  _sams_4e68b0ffc1965_time
http_access allow _sams_4ecf796e14814  _sams_4ecf796e14814_time
http_access allow _sams_4f1538f5885e7  _sams_4f1538f5885e7_time
http_access allow _sams_4ffd2767350e0  _sams_4ffd2767350e0_time
http_access allow _sams_53e0c53e03eeb  !_sams_4efafc004dc02 !_sams_4efafc2f13b88 _sams_53e0c53e03eeb_time
http_access allow _sams_4e68b02875c9c  _sams_4e68b02875c9c_time
http_access allow _sams_4d89dfb50c51e  _sams_4d89dfb50c51e_time
http_access allow _sams_4d889adfca190  _sams_4d889adfca190_time
http_access allow _sams_4d883ebc51e5f  _sams_4d883ebc51e5f_time
http_access allow _sams_4d592b7f6e869  _sams_4d592b7f6e869_time
http_access allow _sams_4d7dc9e5697b3  _sams_4d7dc9e5697b3_time
http_access allow _sams_4d7dc9f3524a9  _sams_4d7dc9f3524a9_time
http_access allow _sams_4d7dca0999f4e  _sams_4d7dca0999f4e_time
http_access allow _sams_4d7dca1885834  _sams_4d7dca1885834_time
http_access allow _sams_4d7dca71be2bb  _sams_4d7dca71be2bb_time
http_access deny all	
в cache.log такая бяка

Код: Выделить всё

2015/07/06 08:21:25 kid1| Logfile: opening log /usr/squid/squid/logs/access.log
2015/07/06 08:21:25 kid1| WARNING: log name now starts with a module name. Use 'stdio:/usr/squid/squid/logs/access.log'
2015/07/06 08:21:25 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2015/07/06 08:21:25 kid1| Store logging disabled
2015/07/06 08:21:25 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2015/07/06 08:21:25 kid1| Target number of buckets: 1008
2015/07/06 08:21:25 kid1| Using 8192 Store buckets
2015/07/06 08:21:25 kid1| Max Mem  size: 262144 KB
2015/07/06 08:21:25 kid1| Max Swap size: 0 KB
2015/07/06 08:21:25 kid1| Using Least Load store dir selection
2015/07/06 08:21:25 kid1| Current Directory is /var/squid
2015/07/06 08:21:25 kid1| Finished loading MIME types and icons.
2015/07/06 08:21:25 kid1| HTCP Disabled.
2015/07/06 08:21:25 kid1| Pinger socket opened on FD 12
2015/07/06 08:21:25 kid1| NETDB state reloaded; 17 entries, 0 msec
2015/07/06 08:21:25 kid1| Squid plugin modules loaded: 0
2015/07/06 08:21:25 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 10 flags=9
2015/07/06 08:21:25| pinger: Initialising ICMP pinger ...
2015/07/06 08:21:25| pinger: ICMP socket opened.
2015/07/06 08:21:25| pinger: ICMPv6 socket opened
2015/07/06 08:21:25 kid1| Starting new ntlmauthenticator helpers...
2015/07/06 08:21:25 kid1| helperOpenServers: Starting 1/70 'ntlm_auth' processes
2015/07/06 08:21:25 kid1| Starting new ntlmauthenticator helpers...
2015/07/06 08:21:25 kid1| helperOpenServers: Starting 1/70 'ntlm_auth' processes
2015/07/06 08:21:25 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:25 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:25 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| storeLateRelease: released 0 objects
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:26 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:27 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:27 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2015/07/06 08:21:33 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
в access.log так:

Код: Выделить всё

1436162004.492   0 192.168.0.9   TCP_DENIED/407 4063 CONNECT api.skype:443 - HIER_NONE/- text/htm	
Права на папку winbind_privileged такие

Код: Выделить всё

# file: /var/db/samba4/winbindd_privileged
# owner: root
# group: squid
user::rwx
group::r-x
other::---
wbinfo -u

Код: Выделить всё

список пользователей
Как мне победить данную проблему?

Отправлено спустя 25 минут 36 секунд:

Код: Выделить всё

wbinfo -a MYDOMAIN\\user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35426
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

FreeBSD squid + sams (ntlm+basic аутентификация) + rejik

Непрочитанное сообщение Alex Keda » 2015-07-09 18:22:28

Юзеров самба-то видит?
Убей их всех! Бог потом рассортирует...

Аватара пользователя
Sindikat88
мл. сержант
Сообщения: 138
Зарегистрирован: 2010-09-02 15:07:54
Контактная информация:

FreeBSD squid + sams (ntlm+basic аутентификация) + rejik

Непрочитанное сообщение Sindikat88 » 2015-07-10 18:22:31

Да, самба юзеров видит.
Проблема заключается только в https сайтах из под Internet Explorer