Помогите разобраться или подскажите куда посмотреть! Наблюдаю такую закономерность, имхо, Squid не разрешает доступ по ACL, точнее не обновляет или не берет информацию от WINBIND до тех пор пока руками не перезапустить именно демон Squid-а. Связка Squid+AD(методом winbind).
Код: Выделить всё
# freebsd-version
10.1-RELEASE-p6
Код: Выделить всё
# squid -v
Squid Cache: Version 3.4.12
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--disable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--disable-icap-client' '--disable-icmp' '--enable-ident-lookups' '--disable-ipv6' '--enable-kqueue' '--without-large-files' '--disable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--disable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam SMB' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group wbinfo_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-pipe -I/usr/include -g -fstack-protector -fno-strict-aliasing' 'LDFLAGS= -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-pipe -I/usr/include -g -fstack-protector -fno-strict-aliasing -Wno-unused-private-field' 'CPP=cpp' --enable-ltdl-convenience
Код: Выделить всё
cache_effective_user squid
cache_effective_group squid
connect_timeout 20 second
dns_v4_first on
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive off
authenticate_ttl 1 minutes
authenticate_cache_garbage_interval 1 minute
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 4
auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
#######################################################
external_acl_type nt_group %LOGIN /usr/local/libexec/squid/ext_wbinfo_group_acl
#######################################################
#######################################################
#Access for users
acl Inet_users external nt_group InternetUsers
acl Inet_full_users external nt_group InternetFullUsers
#######################################################
........
########################################################################
http_access allow Inet_full_users
http_access allow Inet_users
########################################################################
.....
Код: Выделить всё
# ntlm_auth -V
Version 4.1.17
Код: Выделить всё
# ls -l /var/db/samba4/winbindd_privileged/
total 1
srwxrwxrwx 1 root squid 0 Mar 19 14:01 pipe
Код: Выделить всё
# ls -l /usr/local/libexec/squid/ext_wbinfo_group_acl
-r-xr-xr-x 1 root squid 5005 Mar 18 10:43 /usr/local/libexec/squid/ext_wbinfo_group_acl
Код: Выделить всё
# ls -al /usr/local/etc/|grep squid
drwxr-xr-x 4 squid squid 17 Mar 19 12:23 squid
Код: Выделить всё
# cat /usr/local/etc/smb4.conf
[global]
workgroup = MYDOMAIN
server string = Proxy
security = ADS
hosts allow = 192.168.0. 127.
log file = /var/log/samba4/log.%m
max log size = 50
encrypt passwords = yes
realm = MYDOMAIN.RU
interfaces = em0
socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
local master = no
domain logons = no
domain master = no
dns proxy = no
unix charset = koi8-r
dos charset = cp866
auth methods = winbind
winbind offline logon = no
winbind rpc only = yes
winbind reconnect delay = 30
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
idmap cache time = 900