Re: Статья squid+AD
Добавлено: 2008-12-11 16:04:28
у меня помогло, когда удалил машину с домена, заново загнал, под другим именем...
Код: Выделить всё
::1 localhost.stdgroup.local localhost
127.0.0.1 localhost.stdgroup.local localhost
Код: Выделить всё
hostname="fan-free.stdgroup.local"
ifconfig_em0="DHCP"
keymap="ru.koi8-r"
linux_enable="YES"
moused_enable="YES"
sshd_enable="YES"
Код: Выделить всё
group: files winbind
group_compat: files winbind
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Код: Выделить всё
domain STDGROUP.LOCAL
nameserver 192.168.10.20
Код: Выделить всё
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = STDGROUP
# server string is the equivalent of the NT Description field
server string = Samba Free Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = ads
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.%U.log
# Put a capping on the size of the log files (in Kb).
max log size = 50000
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
# password server = STDGROUP.LOCAL
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
realm = STDGROUP.LOCAL
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
; socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
netbios name = FAN-FREE
# Charset settings
display charset = koi8-r
unix charset = koi8-r
dos charset = cp866
# Use extended attributes to store file modes
; store dos attributes = yes
; map hidden = no
; map system = no
; map archive = no
# Use inherited ACLs for directories
; nt acl support = yes
; inherit acls = yes
; map acl inherit = yes
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
Код: Выделить всё
vmsrvfreebsd# cat /usr/local/etc/squid/squid.conf
auth_param ntlm program /usr/local/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/local/bin/ntlm_auth \
--helper-protocol=squid-2.5-basic
auth_param basic children 4
auth_param basic realm Proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 10.0.20.0/255.255.255.0
external_acl_type nt_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl
acl allowinternetaccess external nt_group allowinternetaccess
acl GSC01 proxy_auth REQUIRED
acl SSL_ports port 443 563
acl SSL_for_client_banks port 910 8443 4500
acl safe_ports port 80 # http
acl safe_ports port 21 # ftp
acl safe_ports port 443 # ssl
acl ICQ_ports port 5190 # ICQ
acl CONNECT method CONNECT
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl deny_msn dstdomain "/usr/local/etc/squid/db/deny_msn.txt"
acl localsites dstdomain "/usr/local/etc/squid/db/allow_sites.txt"
acl SNMP snmp_community squidmrtg
snmp_port 3401
acl myhost src 10.0.20.38/255.255.255.255
snmp_access allow SNMP myhost
snmp_access deny all
deny_info ERR_DENY_DOMAINS deny_msn
http_access allow manager localhost
http_access deny manager
http_access allow allowinternetaccess all
http_access deny deny_msn
http_access allow localsites all
deny_info ERR_INET_NO_ALLOW all
http_access deny all
acl manager proto cache_object
acl webserver src 10.0.20.38/255.255.255.255
http_access allow manager webserver
http_access deny manager
#acl all src all
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 1024 MB
cache_dir ufs /var/log/squid/cache 50000 64 512
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
pid_filename /var/run/squid/squid.pid
ftp_user Squid@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr pavel.bondar@be.dsv.com
error_directory /usr/local/etc/squid/errors/English
hosts_file /etc/hosts
append_domain .gsc01.local
coredump_dir /usr/local/squid/cache
Код: Выделить всё
1231934803.420 0 10.0.25.50 TCP_DENIED/407 1798 GET http://www.msn.com/? - NONE/- text/html
1231934803.423 1 10.0.25.50 TCP_DENIED/407 2018 GET http://www.msn.com/? - NONE/- text/html
1231934803.890 466 10.0.25.50 TCP_DENIED/403 1382 GET http://www.msn.com/? pbonda DIRECT/65.54.152.126 text/html
Код: Выделить всё
1231924032.035 16 10.10.0.21 TCP_DENIED/407 1914 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924032.052 17 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924067.800 15 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924067.833 15 10.10.0.21 TCP_DENIED/407 1914 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924067.850 16 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924171.053 15 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924171.098 15 10.10.0.21 TCP_DENIED/407 1914 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924171.113 15 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924171.281 14 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924171.314 20 10.10.0.21 TCP_DENIED/407 1914 POST http://www.nowa.cc/ajax.php - NONE/- text/html
1231924171.331 16 10.10.0.21 TCP_DENIED/407 1762 POST http://www.nowa.cc/ajax.php - NONE/- text/html
Код: Выделить всё
2009/01/14 22:35:02| Starting Squid Cache version 2.6.STABLE22 for i386-portbld-
freebsd7.0...
2009/01/14 22:35:02| Process ID 915
2009/01/14 22:35:02| With 11072 file descriptors available
2009/01/14 22:35:02| Using kqueue for the IO loop
2009/01/14 22:35:02| Performing DNS Tests...
2009/01/14 22:35:02| Successful DNS name lookup tests...
2009/01/14 22:35:02| DNS Socket created at 0.0.0.0, port 57693, FD 7
2009/01/14 22:35:02| Adding domain vokki.local from /etc/resolv.conf
2009/01/14 22:35:02| Adding nameserver 10.10.0.1 from /etc/resolv.conf
2009/01/14 22:35:02| helperStatefulOpenServers: Starting 30 'ntlm_auth' processe
s
[2009/01/14 22:35:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
could not obtain winbind domain name!
[2009/01/14 22:35:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
could not obtain winbind domain name!
2009/01/14 22:35:02| helperOpenServers: Starting 5 'wbinfo_group.pl' processes
2009/01/14 22:35:02| Unlinkd pipe opened on FD 47
2009/01/14 22:35:02| Swap maxSize 51200000 + 1048576 KB, estimated 0 objects
2009/01/14 22:35:02| Target number of buckets: 200956
2009/01/14 22:35:02| Using 262144 Store buckets
2009/01/14 22:35:02| Max Mem size: 1048576 KB
Вот сдесь поподробнее если можноlissyara писал(а):сделай кастомную ругань на все DENY - будет видно на каком ACL срубаются
Код: Выделить всё
[2009/01/16 20:43:46, 10] utils/ntlm_auth.c:manage_squid_request(2081)
Got 'YR TlRMTVNTUAABAAAAB7IIogUABQAvAAAABwAHACgAAAAFASgKAAAAD0xUT08zMDRHU0MwMQ==' from squid (length: 75).
[2009/01/16 20:43:46, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(763)
got NTLMSSP packet:
[2009/01/16 20:43:46, 10] lib/util.c:dump_data(2264)
[000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 08 A2 NTLMSSP. ........
[010] 05 00 05 00 2F 00 00 00 07 00 07 00 28 00 00 00 ..../... ....(...
[020] 05 01 28 0A 00 00 00 0F 4C 54 4F 4F 33 30 34 47 ..(..... LTOO304G
[030] 53 43 30 31 SC01
[2009/01/16 20:43:46, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa208b207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED
NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_56
[2009/01/16 20:43:46, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(773)
NTLMSSP challenge
[2009/01/16 20:43:46, 10] utils/ntlm_auth.c:manage_squid_request(2081)
Got 'KK TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAAAoACgBIAAAADAAMAFIAAAAOAA4AXgAAAAAAAACcAAAABYKIogUBKAoAAAAPRwBTAEMAMAAxAHAAYgBvAG4AZABhAEwAVABPAE8AMwAwADQAQQYiCpuDE1oAAAAAAAAAAAAAAAAAAAAAjXyvCqNWW/gob9S4pSTjGGZ/KNlXRMej' from squid (length: 211).
[2009/01/16 20:43:46, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(763)
got NTLMSSP packet:
[2009/01/16 20:43:46, 10] lib/util.c:dump_data(2264)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 6C 00 00 00 18 00 18 00 84 00 00 00 0A 00 0A 00 l....... ........
[020] 48 00 00 00 0C 00 0C 00 52 00 00 00 0E 00 0E 00 H....... R.......
[030] 5E 00 00 00 00 00 00 00 9C 00 00 00 05 82 88 A2 ^....... ........
[040] 05 01 28 0A 00 00 00 0F 47 00 53 00 43 00 30 00 ..(..... G.S.C.0.
[050] 31 00 70 00 62 00 6F 00 6E 00 64 00 61 00 4C 00 1.p.b.o. n.d.a.L.
[060] 54 00 4F 00 4F 00 33 00 30 00 34 00 41 06 22 0A T.O.O.3. 0.4.A.".
[070] 9B 83 13 5A 00 00 00 00 00 00 00 00 00 00 00 00 ...Z.... ........
[080] 00 00 00 00 8D 7C AF 0A A3 56 5B F8 28 6F D4 B8 .....|.. .V[.(o..
[090] A5 24 E3 18 66 7F 28 D9 57 44 C7 A3 .$..f.(. WD..
[2009/01/16 20:43:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
Got user=[pbonda] domain=[GSC01] workstation=[LTOO304] len1=24 len2=24
[2009/01/16 20:43:46, 10] libsmb/ntlmssp.c:ntlmssp_server_auth(805)
ntlmssp_server_auth: Created NTLM2 session key.
[2009/01/16 20:43:46, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/01/16 20:43:46, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_56
[2009/01/16 20:43:46, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(784)
NTLMSSP OK!
Код: Выделить всё
id pbonda
uid=10000(pbonda) gid=10000(domain users) groups=10000(domain users),10007(ict),10009(mapping-homefolder-lbs),10014(allowinternetaccess)
Код: Выделить всё
mgersh ginetdeny
Got mgersh ginetdeny from squid
User: -mgersh-
Group: -ginetdeny-
SID: -S-1-5-21-2323438160-1161265324-1681903113-1209-
GID: -10030-
Sending OK to squid
OK
Код: Выделить всё
mgersh ginetdeny
Got mgersh ginetdeny from squid
User: -mgersh-
Group: -ginetdeny-
SID: -S-1-5-21-2323438160-1161265324-1681903113-1209-
GID: -10030-
Sending OK to squid
OK
Код: Выделить всё
mgersh ginetdeny
Got mgersh ginetdeny from squid
User: -mgersh-
Group: -ginetdeny-
SID: -S-1-5-21-2323438160-1161265324-1681903113-1209-
GID: -10030-
Sending OK to squid
OK
Код: Выделить всё
# cat /etc/rc.conf | grep winbindd
winbindd_enable="YES"
winbindd_flags="-n"
# cat /usr/local/etc/smb.conf | grep cache
winbind cache time = 5
Код: Выделить всё
# rm /var/db/samba/winbindd_cache.tdb
Код: Выделить всё
mgersh ginetdeny
Got mgersh ginetdeny from squid
User: -mgersh-
Group: -ginetdeny-
SID: -S-1-5-21-2323438160-1161265324-1681903113-1209-
GID: -10030-
Sending OK to squid
OK
Если честно, я ожидал большего.BlackCat писал(а):Пара вопросов.
Насколько спасает кеширование? Т.е. при какой загрузке уже стоит задуматься о кешировании.
Чем больше оно помагает: ускорение или экономия трафика.
Принудительно - релоад squid и winbind или ttl в настройках winbind и squid для автоматического обновления.Mr.3S писал(а):не узнаю как на счет wbinfo_group.pl, но что бы сквид начал понимать что юзверь уже не в группе его приходиться реконфигурировать, попробуй )
Код: Выделить всё
[X] SQUID_ARP_ACL Enable ACLs based on ethernet address
Код: Выделить всё
acl mac_user arp 00:00:00:00:00:01
Код: Выделить всё
http_access allow mac_user