Win 2008 sp2 + kerberos squid

[RusBiT]

Centos 6.5 + windows 2008 sp2

sgbs - имя сервера
mydomain.local - домен
proxy.mydomain.local - squid сервер
pr0xy - пользователь для связи прокси и ад
user - пользователь с интернетом
user2 - пользователь без интернета

Не работает kerberos авторизация в SQUID

Код: Выделить всё

2014/03/31 19:23:09| squid_kerb_auth: WARNING: received type 1 NTLM token
2014/03/31 19:23:09| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/03/31 19:24:06| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
2014/03/31 19:24:06| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2014/03/31 19:24:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2014/03/31 19:24:06| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/03/31 19:24:40| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
2014/03/31 19:24:40| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2014/03/31 19:24:40| squid_kerb_auth: WARNING: received type 1 NTLM token
2014/03/31 19:24:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'

В браузере прописано proxy.mydomain.local
Время прокси сервера синхроризировано с доменом

/etc/squid/squid.conf

Код: Выделить всё

visible_hostname localhost
http_port 3128
access_log /var/log/squid/access.log squid

auth_param negotiate program /usr/lib64/squid/negotiate_kerb_auth -d -s HTTP/proxy.mydomain.local@MYDOMAIN.LOCAL
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type ldap_search %LOGIN \
/usr/lib64/squid/squid_ldap_group \
-R -b "dc=mydomain,dc=local" \
-f "(&(sAMAccountName=%v)(memberof=cn=%a,OU=proxy,DC=mydomain,DC=local))" \
-D pr0xy@mydomain.local -W /etc/squid/squid.pass \
-K -h sgbs.mydomain.local
acl i_allowed external ldap_search internet

acl AUTHENTICATED proxy_auth REQUIRED

acl localnet dst 192.168.10.0/24
http_access allow AUTHENTICATED localnet
http_access allow i_allowed
http_access deny all

Проверка наличия у пользователя группы проходит успешно

Код: Выделить всё

/usr/lib64/squid/squid_ldap_group \
> -R -b "dc=mydomain,dc=local" \
> -f "(&(sAMAccountName=%v)(memberof=cn=%a,OU=proxy,DC=mydomain,DC=local))" \
> -D pr0xy@mydomain.local -W /etc/squid/squid.pass \
> -K -h sgbs.mydomain.local
user internet
OK
user2 internet
ERR

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[RusBiT]

Код: Выделить всё

[root@proxy init.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/proxy.mydomain.local@MYDOMAIN.LOCAL

Valid starting     Expires            Service principal
03/27/14 23:10:07  03/28/14 09:10:08  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 03/28/14 23:10:07