Имеется проблема с прозрачной аутентификацией в Firefox по NTLM
Есть gentoo на ней x2go, браузер Firefox 45.2.0, прокси Cisco Iron Port, samba 4.2.9, kerberos (конфиги samba, kerberos ниже) заведена в домен AD.
Доменные пользователи на сервер заходят билеты получают. При попытке получить доступ к какому-либо ресурсу в Firefox вылезает окно с аутентификацией на прокси. Параметр в about:config network.auth.force-generic-ntlm в состоянии false.
Если ввести доменные учетные данные то все работает как надо, а вот прозрачно никак не хочет аутентифицировать. В логах Firefox пишет следующее, а именно результат вывода ntlm_auth:
Логи Firefox:
Spoiler
Код: Выделить всё
-1152440512[7f0bb9e63340]: nsHttpNTLMAuth::ChallengeReceived [ss=0 cs=0]
-1152440512[7f0bb9e63340]: Force use of generic ntlm auth module: 0
-1152440512[7f0bb9e63340]: Default credentials allowed for proxy: 1
-1152440512[7f0bb9e63340]: Writing to ntlm_auth: YR
-1152440512[7f0bb9e63340]: Read from ntlm_auth: PW
-1152440512[7f0bb9e63340]: Native sys-ntlm auth module not found.
-1152440512[7f0bb9e63340]: Trying to fall back on internal ntlm auth.
-1152440512[7f0bb9e63340]: identity invalid = 1
-1152440512[7f0bb9e63340]: nsHttpChannelAuthProvider::PromptForIdentity [this=7f0b98a2d6a0 channel=7f0b9775aca8]
-1152440512[7f0bb9e63340]: Suspending the transaction, asynchronously prompting for credentials
-1152440512[7f0bb9e63340]: Destroying nsHttpChannel [this=7f0b9cfd9000]
-1152440512[7f0bb9e63340]: Destroying HttpBaseChannel @9cfd9000
-1152440512[7f0bb9e63340]: Destroying nsHttpConnectionInfo @8d877d30
-1152440512[7f0bb9e63340]: Destroying HttpChannelParent [this=7f0b8e959290]
Конфиг smb.conf:
Spoiler
Код: Выделить всё
[global]
workgroup = DC
netbios name = srv
server string = SRV X2Go
security = ads
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
encrypt passwords = yes
unix password sync = yes
lanman auth = yes
passwd program = /usr/bin/passwd %u
interfaces = 10.25.174.58
local master = no
os level = 33
domain master = no
preferred master = no
wins support = no
# wins server = 10.25.160.136
dns proxy = no
map to guest = bad user
# socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
username map = /etc/samba/smbusers
default case = lower
case sensitive = no
# case sensitive = yes
dos charset = cp866
unix charset = utf-8
allow trusted domains = yes
algorithmic rid base = 100000
idmap config DC : range = 10000-500000
idmap config DC : backend = rid
winbind separator = /
winbind refresh tickets = yes
winbind use default domain = yes
winbind uid = 10000-500000
winbind gid = 10000-500000
winbind enum groups = yes
winbind enum users = yes
realm = DC
client ntlmv2 auth = no
# client ntlmv2 auth = yes
# client ldap sasl wrapping = plain
ntlm auth = yes
auth methods = winbind
inherit acls = Yes
map acl inherit = Yes
nt acl support = yes
inherit permissions = yes
inherit owner = yes
admin users = @DOMLOC//admins
passdb backend = tdbsam
template shell = /bin/bash
[homes]
comment = Home Directories
valid users = %S
read only = No
Конфиг kdc.conf:
Spoiler
kdc_ports = 750,88
[realms]
DC = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5.keytab
# acl_file = /var/lib/krb5kdc/kadm5.acl
key_stash_file = /var/lib/krb5kdc/.k5.ASTRAKHAN-DOBYCHA.GAZPROM.RU
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
master_key_type = des-cbc-crc
supported_enctypes = rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3
}
[code]
Конфиг krb5.conf:
Spoiler
default_realm = DC
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
ticket_lifetime = 24000
dns_lookup_realm = true
dns_lookup_kdc = true
clockskew = 600
default_keytab_name = FILE:/etc/krb5.keytab
allow_weak_crypto = true
[realms]
DC = {
admin_server = 10.25.160.136
default_domain = DC
kdc = 10.25.160.136
kdc = 10.25.160.135
}
[domain_realm]
.dc = DC
dc = DC
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[kdc]
profile = /etc/kdc.conf
[login]
krb4_convert = false
krb4_get_tickets = false
[code]
Бьюсь пару недель, не могу решить.
Если какой-либо инфы не хватает, выложу.
Заранее спасибо