squid3 使用 ntlm 通过 samba 进行 AD 身份验证不起作用

tag-icon tag-icon windows-server-2008 active-directory samba squid ntlm
squid3 使用 ntlm 通过 samba 进行 AD 身份验证不起作用

这里有些用户花费了太多时间探索 WWW。所以大老板想办法控制这种情况。

我们使用 squid3 只是出于某些安全原因和追逐利益。现在我正在尝试在不同的服务器(Debian 6)上设置一个新的代理,权限在 AC 中定义,squid3 应该使用 ntlm 协议通过 samba/winbind 获取身份验证。

但我会一直获得访问权限。它只能通过使用 LDAP 来工作,但这不是我需要的方式。

这里有一些日志和配置文件

squid 访问日志

1326878095.784      1 192.168.15.27 TCP_DENIED/407 4049 GET http://at.msn.com/? -NONE/- text/html
1326878095.791      1 192.168.15.27 TCP_DENIED/407 4294 GET http://at.msn.com/? - NONE/- text/html
1326878095.803      9 192.168.15.27 TCP_DENIED/403 4028 GET http://at.msn.com/? kavan NONE/- text/html
1326878095.848      0 192.168.15.27 TCP_DENIED/403 3881 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878100.279      0 192.168.15.27 TCP_DENIED/403 3735 GET http://www.google.at/ kavan NONE/- text/html
1326878100.296      0 192.168.15.27 TCP_DENIED/403 3870 GET http://www.squid-cache.org/Artwork/SN.png kavan NONE/- text/html
1326878155.700      0 192.168.15.27 TCP_DENIED/407 4072 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.705      2 192.168.15.27 TCP_DENIED/407 4317 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml - NONE/- text/html
1326878155.709      3 192.168.15.27 TCP_DENIED/403 4026 GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml kavan NONE/- text/html

鱿鱼追逐

2012/01/18 10:12:49| Creating Swap Directories
2012/01/18 10:12:49| Starting Squid Cache version 3.1.6 for x86_64-pc-linux-gnu...
2012/01/18 10:12:49| Process ID 17236
2012/01/18 10:12:49| With 65535 file descriptors available
2012/01/18 10:12:49| Initializing IP Cache...
2012/01/18 10:12:49| DNS Socket created at [::], FD 7
2012/01/18 10:12:49| DNS Socket created at 0.0.0.0, FD 8
2012/01/18 10:12:49| Adding nameserver 192.168.15.2 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.19 from /etc/resolv.conf
2012/01/18 10:12:49| Adding nameserver 192.168.15.1 from /etc/resolv.conf
2012/01/18 10:12:49| Adding domain schoenbrunn.local from /etc/resolv.conf
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'ntlm_auth' processes
2012/01/18 10:12:49| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| helperOpenServers: Starting 5/5 'squid_ldap_group' processes
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| squid_kerb_auth: INFO: Starting version 1.0.5
2012/01/18 10:12:49| Unlinkd pipe opened on FD 73
2012/01/18 10:12:49| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/01/18 10:12:49| Store logging disabled
2012/01/18 10:12:49| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2012/01/18 10:12:49| Target number of buckets: 1008
2012/01/18 10:12:49| Using 8192 Store buckets
2012/01/18 10:12:49| Max Mem  size: 262144 KB
2012/01/18 10:12:49| Max Swap size: 0 KB
2012/01/18 10:12:49| Using Least Load store dir selection
2012/01/18 10:12:49| Set Current Directory to /var/spool/squid3
2012/01/18 10:12:49| Loaded Icons.
2012/01/18 10:12:49| Accepting  HTTP connections at [::]:3128, FD 74.
2012/01/18 10:12:49| HTCP Disabled.
2012/01/18 10:12:49| Squid modules loaded: 0
2012/01/18 10:12:49| Adaptation support is off.
2012/01/18 10:12:49| Ready to serve requests.
2012/01/18 10:12:50| storeLateRelease: released 0 objects

smb配置文件

# Domain Authntication Settings
        workgroup = <WORKGROUP>
        security = ads
        password server = <DOMAINNAME>.LOCAL
        realm = <DOMAINNAME>.LOCAL
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind cache time = 10
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <SERVERNAME>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups

squid配置文件

auth_param ntlm program /usr/bin/ntlm_auth --require-membership-of=<DOMAINNAME>\\INTERNETZ --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<dcname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f sAMAccountName=%s -h 192.168.15.19:3268
auth_param basic realm "Proxy Authentifizierung. Bitte geben Sie Ihren Benutzername und Ihr Passwort ein!" #means insert you PW in an other language - #
external_acl_type InetGroup %LOGIN /usr/lib/squid3/squid_ldap_group -R -b "dc=<domainname>,dc=local" -D "cn=administrator,cn=Users,dc=<domainname>,dc=local" -w "******" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,cn=internetz,dc=<domainname>,dc=local))" -h 192.168.15.19:3268

auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl localnet proxy_auth REQUIRED
acl InetAccess external InetGroup Internetz
http_access allow InetAccess
http_access deny all
acl auth proxy_auth REQUIRED

http_access allow auth

非常可疑的是,通过将代理服务器添加到域,我看到 PC 中出现了 2 个新条目,一个是原始计算机名称 leopoldine,另一个是 leopoldine CNF:f8efa4c4-ff0e-4217-939d-f1523b43464d ?!?

我确实尝试了很多次......但我坚持这个问题......实际上我甚至重新安装了所有相关程序并从默认值重新配置了它们。

群组存在,我在其中。Firefox 在旧代理上运行,我使用 IE 测试新代理。但我总是收到拒绝访问的提示

老实说我还是个初学者,所以请不要太拘谨。我有兴趣改进,我会获取修复此问题所需的信息,但我 2 个月前才开始工作,只接受了 1 年半的培训,在 Linux 方面一分一秒都没有 ;)

答案1

将代理用户添加到 winbindd_priv 组。

相关内容