Все добрый день/ночь/вечер.
Не раз уже обсуждалась данная проблема.
Настраиваю squid + аутентификация в Windows 2000 домене.
Позникла следующая ошибка при обращении к прокси.
Вот лог.
userproxy# tail -1 /usr/local/squid/var/logs/access.log
1114539495.401 0 10.66.64.166 TCP_DENIED/407 1772 GET http://www.compulenta.ru/favicon.ico - NONE/- text/html [Host: www.compulenta.ru\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.6) Gecko/20050318 Firefox/1.0.2\r\nAccept: image/png,*/*;q=0.5\r\nAccept-Language: ru-ru,ru;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\nCookie: BITRIX_SM_LAST_ADV=6; BITRIX_SM_BANNERS=1_15_260_03052005,1_96_85_03052005,6_64_83_03052005,1_16_140_03052005,6_65_84_03052005,6_90_43_03052005,6_92_41_03052005,1_150_79_03052005,6_77_39_03052005,6_58_9_03052005,6_70_4_29042005,6_93_10_03052005,6_67_1_02052005,6_78_2_02052005,1_116_1_03052005; BITRIX_SM_LAST_VISIT=26.04.2005+21:25:17; BITRIX_SM_GUEST_ID=2730775\r\nProxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGUAAAAYABgAfQAAAAcABwBIAAAACgAKAE8AAAAMAAwAWQAAAAAAAACVAAAABgIAAgUBKAoAAAAPQkFOS1NQQk5JS09MQUVWQUFDRC0xMjVBLU5JQ0sPProIr2yUfHN9sL92LURjn5Vi3OwhEYszeqDrmK7vv+R17aQvskCSjxsjhr7ST3w=\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE9\r\nMime-Version: 1.0\r\nDate: Tue, 26 Apr 2005 18:18:15 GMT\r\nContent-Type: text/html\r\nContent-Length: 1360\r\nExpires: Tue, 26 Apr 2005 18:18:15 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAASAgAAQZIhe13yv2YAAAAAAAAAAAAAAAAwAAAA\r\n\r]
Не подскажите, как побороть.
При настройке руководствовался данными материалами:
https://www.opennet.ru/base/net/squid_win200_auth.txt.html
https://www.opennet.ru/base/net/win_squid.txt.html
Что проверял:
userproxy# /usr/local/samba/bin/wbinfo -t
checking the trust secret via RPC calls succeeded
Работает.
userproxy# /usr/local/samba/bin/wbinfo -p
Ping to winbindd succeeded on fd 4
Работает.
userproxy# /usr/local/samba/bin/wbinfo -u
MYDOMEN\user1
MYDOMEN\user2
MYDOMEN\user3
MYDOMEN\user4
MYDOMEN\user5
Работает.
bash-3.00# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
MYDOMEN\user_name_admin_access passwor
OK
Работает.
Убираю авторизацию в домене и пускаю по IP - прокси работает.
Подскажите, как это побороть.
Прилогаю конфиги и права на директории:
squid.conf
http_port 8080
icp_port 0
cache_peer 217.195.86.4 parent 8080 0 default no-query
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
maximum_object_size 1024 KB
minimum_object_size 5 KB
cache_dir ufs /cache 1000 16 128
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log none
log_mime_hdrs on
pid_filename /usr/local/squid/var/logs/squid.pid
dns_nameservers 10.66.64.10 10.66.80.10
auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="MY_DOMEN\\proxy-users"
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="MY_DOMEN\\proxy-users"
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
request_body_max_size 900 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
positive_dns_ttl 12 hours
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl NTLMauth proxy_auth REQUIRED
http_access allow NTLMauth
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access deny all
reply_body_max_size 900000 allow all
cache_mgr webmaster@mydomen.ru
cache_effective_user nobody
cache_effective_group nobody
visible_hostname userproxy.mydomen.ru
httpd_accel_uses_host_header on
logfile_rotate 30
append_domain .mydomen.ru
memory_pools on
memory_pools_limit 50 MB
forwarded_for off
log_icp_queries off
client_db off
acl local-servers dstdomain .mydomen.ru
always_direct allow local-servers
uri_whitespace strip
never_direct allow all
prefer_direct off
strip_query_terms off
coredump_dir /cache
client_persistent_connections off
server_persistent_connections on
smb.conf
userproxy# cat /usr/local/samba/lib/smb.conf
[global]
workgroup = MYDOMEN
netbios name = userproxy
server string = userproxy.mydomen.ru
hosts allow = 10. 127.
winbind separator=\\
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
max log size = 50
security = domain
password server = srv1 srv3
encrypt passwords = yes
userproxy# ls -l /
total 59
-rw-r--r-- 2 root wheel 801 Nov 5 04:27 .cshrc
-rw-r--r-- 2 root wheel 251 Nov 5 04:27 .profile
drwxrwxr-x 2 root operator 512 Apr 26 14:01 .snap
-r--r--r-- 1 root wheel 6184 Nov 5 04:27 COPYRIGHT
drwxr-xr-x 2 root wheel 1024 Apr 26 14:02 bin
drwxr-xr-x 5 root wheel 512 Apr 26 14:02 boot
drwxr-xr-x 19 nobody nobody 512 Apr 26 22:05 cache - сюда кеширует - отдельрый раздел
drwxr-xr-x 2 root wheel 512 Apr 26 14:02 cdrom
userproxy# ls -l /usr/local/samba/
total 16
drwxr-xr-x 2 root wheel 1024 Apr 26 22:02 bin
drwxr-xr-x 2 root wheel 512 Apr 26 22:02 include
drwxr-xr-x 8 root wheel 512 Apr 26 22:02 lib
drwxr-xr-x 6 root wheel 512 Apr 26 11:37 man
drwxr-xr-x 2 root wheel 512 Apr 26 12:06 private
drwxr-xr-x 2 root wheel 512 Apr 26 22:02 sbin
drwxr-xr-x 7 root wheel 512 Apr 26 11:37 swat
drwxr-xr-x 3 root wheel 512 Apr 26 12:07 var
userproxy# ls -l /usr/local/samba/var/locks/winbindd_privileged/
total 0
srwxrwxrwx 1 root nobody 0 Apr 26 22:04 pipe
Убираем авторизацию в домене и пускаем по IP - все велликолепно работает.
http_port 8080
icp_port 0
cache_peer 217.195.86.4 parent 8080 0 default no-query
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
maximum_object_size 1024 KB
minimum_object_size 5 KB
cache_dir ufs /cache 1000 16 128
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log none
log_mime_hdrs on
pid_filename /usr/local/squid/var/logs/squid.pid
dns_nameservers 10.66.64.10 10.66.80.10
request_body_max_size 900 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
positive_dns_ttl 12 hours
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl Test src 10.66.64.166
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow Test
http_access deny all
http_reply_access allow all
icp_access allow Test
reply_body_max_size 900000 allow all
cache_mgr webmaster@mydomen.ru
cache_effective_user nobody
cache_effective_group nobody
visible_hostname userproxy.mydomen.ru
httpd_accel_uses_host_header on
logfile_rotate 30
append_domain .mydomen.ru
memory_pools on
memory_pools_limit 50 MB
forwarded_for off
log_icp_queries off
client_db off
acl local-servers dstdomain .mydomen.ru
always_direct allow local-servers
uri_whitespace strip
never_direct allow all
prefer_direct off
strip_query_terms off
coredump_dir /cache
client_persistent_connections off
server_persistent_connections on
Подскажите, как вылечить.
С Уважением, Александр.
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on
26-Апр-05, 22:58 (MSK)
