forum.lissyara.su

Если не знаешь что делать – делай шаг вперёд
https://forum.lissyara.su/

Win 2008 sp2 + kerberos squid

https://forum.lissyara.su/viewtopic.php?f=3&t=41493

Страница 1 из 1

Win 2008 sp2 + kerberos squid

Добавлено: 2014-03-31 14:25:31
RusBiT
Centos 6.5 + windows 2008 sp2
sgbs - имя сервера
mydomain.local - домен
proxy.mydomain.local - squid сервер
pr0xy - пользователь для связи прокси и ад
user - пользователь с интернетом
user2 - пользователь без интернета
Не работает kerberos авторизация в SQUID

Код: Выделить всё

2014/03/31 19:23:09| squid_kerb_auth: WARNING: received type 1 NTLM token
2014/03/31 19:23:09| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/03/31 19:24:06| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
2014/03/31 19:24:06| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2014/03/31 19:24:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2014/03/31 19:24:06| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/03/31 19:24:40| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59).
2014/03/31 19:24:40| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40).
2014/03/31 19:24:40| squid_kerb_auth: WARNING: received type 1 NTLM token
2014/03/31 19:24:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
В браузере прописано proxy.mydomain.local
Время прокси сервера синхроризировано с доменом

/etc/squid/squid.conf

Код: Выделить всё


visible_hostname localhost
http_port 3128
access_log /var/log/squid/access.log squid

auth_param negotiate program /usr/lib64/squid/negotiate_kerb_auth -d -s HTTP/proxy.mydomain.local@MYDOMAIN.LOCAL
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type ldap_search %LOGIN \
/usr/lib64/squid/squid_ldap_group \
-R -b "dc=mydomain,dc=local" \
-f "(&(sAMAccountName=%v)(memberof=cn=%a,OU=proxy,DC=mydomain,DC=local))" \
-D pr0xy@mydomain.local -W /etc/squid/squid.pass \
-K -h sgbs.mydomain.local
acl i_allowed external ldap_search internet

acl AUTHENTICATED proxy_auth REQUIRED

acl localnet dst 192.168.10.0/24
http_access allow AUTHENTICATED localnet
http_access allow i_allowed
http_access deny all
Проверка наличия у пользователя группы проходит успешно

Код: Выделить всё


/usr/lib64/squid/squid_ldap_group \
> -R -b "dc=mydomain,dc=local" \
> -f "(&(sAMAccountName=%v)(memberof=cn=%a,OU=proxy,DC=mydomain,DC=local))" \
> -D pr0xy@mydomain.local -W /etc/squid/squid.pass \
> -K -h sgbs.mydomain.local
user internet
OK
user2 internet
ERR

Re: Win 2008 sp2 + kerberos squid

Добавлено: 2014-03-31 14:56:53
RusBiT

Код: Выделить всё

[root@proxy init.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/proxy.mydomain.local@MYDOMAIN.LOCAL

Valid starting     Expires            Service principal
03/27/14 23:10:07  03/28/14 09:10:08  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 03/28/14 23:10:07
Часовой пояс: UTC+03:00
Страница 1 из 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/