В логах
Код: Выделить всё
ERROR: NTLM Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'Код: Выделить всё
[root@CENTOS-SQUID ~]# wbinfo -a PDC+inet
Enter PDC+inet's password:
plaintext password authentication succeeded
Enter PDC+inet's password:
challenge/response password authentication succeeded
[root@CENTOS-SQUID ~]# wbinfo -t
checking the trust secret for domain PDC via RPC calls succeededКод: Выделить всё
[root@CENTOS-SQUID ~]# wbinfo -u
PDC+gen_ord1
PDC+gen_ord2
PDC+zhenskoe-kab3
PDC+hirurgordinat
PDC+galina_apteka
PDC+gert
PDC+pulmonologiya
PDC+terapevt29
PDC+endo
PDC+goncharova
PDC+evdokimova
PDC+elena_aptekaКод: Выделить всё
[root@CENTOS-SQUID ~]# wbinfo -g
PDC+allowed rodc password replication group
PDC+enterprise read-only domain controllers
PDC+denied rodc password replication group
PDC+read-only domain controllers
PDC+group policy creator owners
PDC+ras and ias servers
PDC+domain controllers
PDC+enterprise admins
PDC+domain computers
PDC+cert publishers
PDC+dnsupdateproxy
PDC+domain admins
PDC+domain guests
PDC+schema admins
PDC+domain users
PDC+dnsadmins
PDC+insured
PDC+iaГруппы и пользователей видет. Мне надо тех кто в группе ia пустить в инет.
Код: Выделить всё
[global]
workgroup = PDC
server string =
security = ADS
password server = 192.168.2.82
realm = SMB.MGKB1.LOCAL
local master = no
domain master = no
preferred master = no
domain logons = no
os level = 0
auth methods = winbind
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
#idmap uid = 10000-20000
#idmap gid = 10000-20000
idmap config * : range = 10000-20000
idmap config * : backend = tdb
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
#admin users = @PDC+admins
case sensitive = No
winbind cache time = 10Вот тут не уверен что верно сделал
Код: Выделить всё
[root@CENTOS-SQUID ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = CENTOS-SQUID
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
[realms]
SMB.MGKB1.LOCAL = {
kdc = 192.168.2.82
admin_server = smb.smb.mgkb1.local
default_domain = SMB.MGKB1.LOCAL
}
[domain_realm]
.smb.mgkb1.local = SMB.MGKB1.LOCAL
smb.mgkb1.local = SMB.MGKB1.LOCAL
[logging]
default = FILE:/var/log/kerberos.log
kdc = CONSOLEПосмотрите пожалуйста. Вывод информации о ADS
Код: Выделить всё
[root@CENTOS-SQUID ~]# net ads info
LDAP server: 192.168.2.82
LDAP server name: smb.smb.mgkb1.local
Realm: SMB.MGKB1.LOCAL
Bind Path: dc=SMB,dc=MGKB1,dc=LOCAL
LDAP port: 389
Server time: Пн, 11 май 2015 14:47:14 MSK
KDC server: 192.168.2.82
Server time offset: 0Код: Выделить всё
http_port 192.168.1.121:3128
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 25
auth_param ntlm keep_alive off
#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 15
#auth_param basic realm Proxy Autentification Required
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
external_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl SMB.MGKB1.LOCAL proxy_auth REQUIRED
#auth_param basic children 20
#auth_param basic realm Internet Access MGKB1
#auth_param basic credentialsttl 1 minutes
#auth_param basic casesensitive off
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
access_log /var/log/squid/access.log squid
cache_mem 512 MB
cache_effective_user squid
cache_effective_group squid
cache_dir ufs /var/spool/squid/ 1024 16 256
cache_swap_low 97
cache_swap_high 100
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32
acl localnet src 192.168.3.0/24
acl inetusers external nt_group ia
acl insured_user external nt_group insured
acl media urlpath_regex -i \.mp3$ \.asf$ \.wma$
#dns_nameservers 192.168.1.77 192.168.2.82 192.168.3.223
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
delay_pools 2
# ограничим mp3 до 30 Кб/с
delay_class 1 1
delay_parameters 1 700000/700000
delay_access 1 allow media
delay_access 1 deny all
# ограничим ldap users до 150 Кб/с
delay_class 2 1
delay_parameters 2 700000/700000
#delay_access 2 allow inetusers insured_user
delay_access 2 deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow inetusers
http_access allow insured_user
#http_access allow insured_user small_allow
http_access allow localhost
http_access allow SMB.MGKB1.LOCAL
htcp_access allow localnet
http_access deny all
http_reply_access allow all
icp_access allow all
icp_access allow localnet
icp_access deny all
coredump_dir /var/spool/squid
# Настроим ротацию логов
logfile_rotate 1
# Отключить удаление параметров передаваемых в URL запросе
strip_query_terms off
logformat squid %ts %6tr %>A %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
visible_hostname CENTOS-SQUIDТак же не отрабатывает сам хелпер
Код: Выделить всё
[root@CENTOS-SQUID ~]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
PDC+inet 123456
BH SPNEGO request invalid prefix
PDC\inet 123456
BH SPNEGO request invalid prefix
SMB.MGKB1.LOCAL\inet 123456
BH SPNEGO request invalid prefix
SMB.MGKB1.LOCAL+inet 123456
BH SPNEGO request invalid prefixКод: Выделить всё
[root@CENTOS-SQUID ~]# net ads lookup
Information for Domain Controller: 192.168.2.82
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 04c11e9a-37ee-4aa3-bab8-909dbc0cb2de
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: no
Forest: smb.mgkb1.local
Domain: smb.mgkb1.local
Domain Controller: smb.smb.mgkb1.local
Pre-Win2k Domain: PDC
Pre-Win2k Hostname: \\SMB
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff