这里有些用户花费了太多时间探索 WWW。所以大老板想办法控制这种情况。
我们使用 squid3 只是出于某些安全原因和追逐利益。现在我正在尝试在不同的服务器(Debian 6)上设置一个新的代理,权限在 AC 中定义,squid3 应该使用 ntlm 协议通过 samba/winbind 获取身份验证。
但我会一直获得访问权限。它只能通过使用 LDAP 来工作,但这不是我需要的方式。
这里有一些日志和配置文件
squid 访问日志
1326878095.784 1 192.168.15.27 TCP_DENIED/407 4049 GET http://at.msn.com/? -NONE/- text/html
1326878095.791 1 192.168.15.27 TCP_DENIED/407 4294 GET http://at.msn.com/? - NONE/- text/html
1326878095.803 9 192.168.15.27 TCP_DENIED/403 4028 GET http://at.msn.com/? kavan NONE/- text/html
1326878095.848 0 192.168.15.27 TCP_DENIED/403 3881 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878100.279 0 192.168.15.27 TCP_DENIED/403 3735 GET http://www.google.at/ kavan NONE/- text/html
1326878100.296 0 192.168.15.27 TCP_DENIED/403 3870 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878155.700 0 192.168.15.27 TCP_DENIED/407 4072 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.705 2 192.168.15.27 TCP_DENIED/407 4317 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.709 3 192.168.15.27 TCP_DENIED/403 4026 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml kavan NONE/- text/html
鱿鱼追逐
2012/01/18 10:12:49| Creating Swap Directories
2012/01/18 10:12:49| Starting Squid Cache version 3.1.6 for x86_64-pc-linux-gnu...
2012/01/18 10:12:49| Process ID 17236
2012/01/18 10:12:49| With 65535 file descriptors available
2012/01/18 10:12:49| Initializing IP Cache...
2012/01/18 10:12:49| DNS Socket created at [::], FD 7
2012/01/18 10:12:49| DNS Socket created at 0.0.0.0, FD 8
2012/01/18 10:12:49| Adding nameserver 192.168.15.2 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.19 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.1 from /etc/resolv.conf
2012/01/18 10:12:49| Adding domain schoenbrunn.local from /etc/resolv.conf
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'ntlm_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_group' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| Unlinkd pipe opened on FD 73
2012/01/18 10:12:49| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/01/18 10:12:49| Store logging disabled
2012/01/18 10:12:49| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2012/01/18 10:12:49| Target number of buckets: 1008
2012/01/18 10:12:49| Using 8192 Store buckets
2012/01/18 10:12:49| Max Mem size: 262144 KB
2012/01/18 10:12:49| Max Swap size: 0 KB
2012/01/18 10:12:49| Using Least Load store dir selection
2012/01/18 10:12:49| Set Current Directory to /var/spool/squid3
2012/01/18 10:12:49| Loaded Icons.
2012/01/18 10:12:49| Accepting HTTP connections at [::]:3128, FD 74.
2012/01/18 10:12:49| HTCP Disabled.
2012/01/18 10:12:49| Squid modules loaded: 0
2012/01/18 10:12:49| Adaptation support is off.
2012/01/18 10:12:49| Ready to serve requests.
2012/01/18 10:12:50| storeLateRelease: released 0 objects
smb配置文件
# Domain Authntication Settings
workgroup = <WORKGROUP>
security = ads
password server = <DOMAINNAME>.LOCAL
realm = <DOMAINNAME>.LOCAL
ldap ssl = no
# logging
log level = 5
max log size = 50
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
; max log size = 50
# User settings
username map = /etc/samba/smbusers
idmap uid = 10000-20000000
idmap gid = 10000-20000000
idmap backend = ad
; template primary group = <ad group>
template shell = /sbin/nologin
# Winbind Settings
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind netsted groups = Yes
winbind nested groups = Yes
winbind cache time = 10
winbind use default domain = Yes
#Other Globals
unix charset = LOCALE
server string = <SERVERNAME>
load printers = no
printing = cups
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
squid配置文件
auth_param ntlm program /usr/bin/ntlm_auth --require-membership-of=<DOMAINNAME>\\INTERNETZ --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<dcname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f sAMAccountName=%s -h 192.168.15.19:3268
auth_param basic realm "Proxy Authentifizierung. Bitte geben Sie Ihren Benutzername und Ihr Passwort ein!" #means insert you PW in an other language - #
external_acl_type InetGroup %LOGIN /usr/lib/squid3/squid_ldap_group -R -b "dc=<domainname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,cn=internetz,dc=<domainname>,dc=local))" -h 192.168.15.19:3268
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl localnet proxy_auth REQUIRED
acl InetAccess external InetGroup Internetz
http_access allow InetAccess
http_access deny all
acl auth proxy_auth REQUIRED
http_access allow auth
非常可疑的是,通过将代理服务器添加到域,我看到 PC 中出现了 2 个新条目,一个是原始计算机名称 leopoldine,另一个是 leopoldine CNF:f8efa4c4-ff0e-4217-939d-f1523b43464d ?!?
我确实尝试了很多次......但我坚持这个问题......实际上我甚至重新安装了所有相关程序并从默认值重新配置了它们。
群组存在,我在其中。Firefox 在旧代理上运行,我使用 IE 测试新代理。但我总是收到拒绝访问的提示
老实说我还是个初学者,所以请不要太拘谨。我有兴趣改进,我会获取修复此问题所需的信息,但我 2 个月前才开始工作,只接受了 1 年半的培训,在 Linux 方面一分一秒都没有 ;)
答案1
将代理用户添加到 winbindd_priv 组。