LINUX.ORG.RU
ФорумAdmin

Падает Squid при попытке авторизоваться в AD


0

0

freebsd 5.3
установил samba3 из портов с winbind, ads, ldap поддержкой.

smb.conf:
[global]
   workgroup = TG
   server string = SQUID Server
   security = ads
   hosts allow = 192.168.111. 127.0.0.1
   log file = /var/log/samba/log.%m
   max log size = 500
   password server = server.tg.local
   realm = tg.local
   passdb backend = tdbsam
   socket options = TCP_NODELAY
   local master = no
   os level = 0
   domain master = no
   preferred master = no
   domain logons = no
   display charset = koi8-r
   unix charset = koi8-r
   dos charset = cp866
   encrypt passwords = yes
   winbind use default domain = no
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +

установил squid

squid.conf:
http_port 3128
icp_port 0
hierarchy_stoplist cgi-bin ? chat
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
maximum_object_size 8092 KB
maximum_object_size_in_memory 512 KB
cache_dir ufs /usr/local/squid/cache 1024 16 64
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
cache_mgr it@tg.local

emulate_httpd_log on
ftp_user anonymous@qwerty
logfile_rotate 3
quick_abort_pct 60
#negative_ttl 1
#half_closed_clients on
#http_reply_access allow all

redirect_children 20
redirect_program /usr/local/bin/squidGuard
#redirector_bypass off

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
#log_icp_queries off

# TAG: auth_param
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# TAG: acl
acl     USERS1          proxy_auth      REQUIRED
acl     localhost       src             127.0.0.1/255.255.255.255
acl     Safe_ports      port            80 443 210 119 70 21 1025-65535
acl     CONNECT         method          CONNECT
acl     all             src             0.0.0.0/0.0.0.0

http_access     deny    !Safe_ports
http_access     deny    CONNECT
http_access     allow   USERS1
http_access     allow   localhost
http_access     deny    all

icap_service         service_1 reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service         service_2 respmod_precache 1 icap://localhost:1344/srv_clamav
icap_class           class_antivirus service_2 service_1
icap_access          class_antivirus allow all

coredump_dir /usr/local/squid/cache
pid_filename /usr/local/squid/logs/squid.pid

Все wbinfo -p.-t,-u,-g и авторизации по керберосу работают.

запускаем winbind -d 9
запускаю сквид

на виндовсе прописываю прокси и пытаюсь зайти куда нибудь. сквид падает. логи:

access.log:
192.168.111.1 - - [20/Feb/2006:16:23:19 +0300] "GET http://www.ru/ HTTP/1.0" 407 1694 TCP_DENIED:NONE

cache.log:
2006/02/20 16:23:15| Starting Squid Cache version 2.5.STABLE12 for i386-portbld-freebsd5.3...
...
2006/02/20 16:23:19| storeDirWriteCleanLogs: Starting...
2006/02/20 16:23:19| WARNING: Closing open FD   34
2006/02/20 16:23:19|   Finished.  Wrote 0 entries.
2006/02/20 16:23:19|   Took 0.0 seconds (   0.0 entries/sec).
FATAL: authenticateNTLMHandleReply: *** Unsupported helper response ***, 'ERR'

Squid Cache (Version 2.5.STABLE12): Terminated abnormally.
CPU Usage: 0.111 seconds = 0.037 user + 0.074 sys
Maximum Resident Size: 7996 KB
Page faults with physical i/o: 0

почему сквид падает? как заставить его нормально авторизоваться в AD? 
anonymous

мда, могу только сказать, что программа, которая должна аутенфикацию ntml делать, должна быть из поставки самба, а не сквид

и поставь самую последнюю самбу, 3.0.20b

theserg ★★★
()

> security = ads

А что, и керберос настроил и в домен самбу ввёл?

Deleted
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.