Задача: Настроить прокси сервер с авторизация в АД и управление доступов в инет через группы в АД
OS:
Код: Выделить всё
10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789
Код: Выделить всё
Samba version 4.1.7
Код: Выделить всё
root@proxysrv:/var/log/squid # squid -v
Squid Cache: Version 3.3.11
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SMB NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group wbinfo_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--disable-ipv6' '--enable-icmp' '--enable-htcp' '--disable-forw-via-db' '--disable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--enable-eui' '--enable-ipfw-transparent' '--disable-pf-transparent' '--disable-ipf-transparent' '--disable-follow-x-forwarded-for' '--disable-ecap' '--disable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.0' 'build_alias=amd64-portbld-freebsd10.0' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -pthread' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -DLDAP_DEPRECATED -fno-strict-aliasing -Wno-unused-private-field' 'CPP=cpp' --enable-ltdl-convenience
Код: Выделить всё
#======================= Global Settings ============================
[global]
workgroup = MYCOMPANY
server string = Corporate Proxy Server
security = ADS
hosts allow = 192.168.6.
log file = /var/log/samba4/log.%m
max log size = 1024
password server = dc-b2.mycompany.ua
realm = mycompany.ua
passdb backend = tdbsam
socket options = TCP_NODELAY
local master = no
os level = 0
domain master = no
preferred master = no
domain logons = no
unix charset = KOI8-R
dos charset = cp866
winbind use default domain = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
# --------------------------- Printing Options -----------------------------
load printers = no
Код: Выделить всё
[libdefaults]
default_realm = MYCOMPANY.UA
[realms]
MYCOMPANY.UA = {
kdc = dc2.mycompany.ua
admin_server = dc-b2.mycompany.ua
kpasswd_server = dc-b2.mycompany.ua
}
[domain_realm]
.mycompany.ua = MYCOMPANY.UA
mycompany.ua = MYCOMPANY.UA
[login]
krb4_convert=true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
Код: Выделить всё
root@proxysrv:/var/log/squid # cat /usr/local/etc/squid/squid.conf
http_port 192.168.6.31:3128
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 1024 MB
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
hosts_file /etc/hosts
append_domain .mycompany.ua
logfile_rotate 10
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 40
auth_param basic realm Squid proxy server
auth_param basic credentialsttl 5 minutes
auth_param basic casesensitive off
authenticate_ttl 5 minutes
authenticate_ip_ttl 1 minutes
acl ntlm proxy_auth REQUIRED
http_access allow ntlm all
http_access deny all
error_directory /usr/local/etc/squid/errors/ru
Код: Выделить всё
wbinfo -g и wbinfo -u
Но при попытке идти в инет постоянно выскакивает окно авторизации