First, hi to everybody
I explain my problem:
I have a AD windows server 2008, a debian 7 with squid, samba, winbind, and
a xp client for test
My debian was in the AD and the connexion test was OK
Code :
root_at_Squid:~# net ads testjoin
Join is OK
Code :
root_at_Squid:~# ntlm_auth --username=admin
password:
NT_STATUS_OK: Success (0x0)
Code :
root_at_Squid:~# /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
--username=administrateur
password:
NT_STATUS_OK: Success (0x0)
The squid server recovered the info from the AD
Code :
root_at_Squid:~# wbinfo -g
ordinateurs du domaine
contrôleurs de domaine
administrateurs du schéma
administrateurs de l’entreprise
éditeurs de certificats
admins du domaine
utilisateurs du domaine
invités du domaine
propriétaires créateurs de la stratégie de groupe
serveurs ras et ias
groupe de réplication dont le mot de passe rodc est autorisé
groupe de réplication dont le mot de passe rodc est refusé
contrôleurs de domaine en lecture seule
contrôleurs de domaine d’entreprise en lecture seule
dnsadmins
dnsupdateproxy
test
root_at_Squid:~# wbinfo -u
administrateur
invité
krbtgt
test2
#
On the XP when i do the ad to the gateway i don't have access to the net,
when i put the proxy i have.
When i do the second solution (Proxy for GTW)
When i open a session with my ad user and i launch firefox or IE, the
navigator ask me login and password (when i tip the id and pass that work).
Normally the windows login don't appear and squid ask AD to request if the
ad user have the right.
It is as it were the user not recognized.
Here my squid.conf
Code :
root_at_Squid:~# cat /etc/squid3/squid.conf
######Authentification
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm TEST
####DEFINITION DES ACCESS CONTROL LIST###################
acl ntlm proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl test src 192.168.10.0/24
acl jeux dstdom_regex "/etc/squid3/jeux"
##############LISTE DES AUTORISATIONS#################
http_access deny jeux
http_access allow manager localhost
http_access allow manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow test ntlm
http_access deny all
############# PORT D’ECOUTE DU PROXY ################
http_port 8080
############ EMPLACEMENT DU FICHIER DE LOG #########
access_log /var/log/squid3/access.log
########### REPERTOIRE DE CACHE ####################
cache_effective_user proxy
#cache_effective_group proxy
cache_effective_group root
cache_dir ufs /var/spool/squid3 200 16 256
cache_mem 16 MB
maximum_object_size 15 MB
########## Tampon DNS ########
positive_dns_ttl 8 hours
negative_ttl 4 minutes
append_domain .TEST.LOCAL
########## UTILISATION DE SQUIDGUARD REDIRECTION ###
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
#url_rewrite_children 5
The krb5.conf
Code :
[libdefaults]
default_realm = TEST.LOCAL
clock_skew = 300
ticket_lifetime = 24000
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TEST.LOCAL = {
kdc = SRV08AD.TEST.LOCAL
admin_server = SRV08AD.TEST.LOCAL
# default_domain = TEST.LOCAL
}
[domain_realm]
.domainead = TEST.LOCAL
domainead = TEST.LOCAL
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
And the smb.conf
root_at_Squid:~# cat /etc/samba/smb.conf
[global]
workgroup = TEST
realm = TEST.LOCAL
security = ads
encrypt passwords = yes
password server = SRV08AD.TEST.LOCAL
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
Right on /var/run/samba/
Code :
root_at_Squid:~# ls -l /var/run/samba/
total 976
-rw-r--r-- 1 root root 40200 avril 17 10:29 brlock.tdb
-rw-r--r-- 1 root root 696 avril 17 10:29 connections.tdb
-rw-r--r-- 1 root root 425984 avril 17 10:49
gencache_notrans.tdb
-rw-r--r-- 1 root root 425984 avril 17 10:49 gencache.tdb
-rw-r--r-- 1 root root 40200 avril 17 10:29 locking.tdb
-rw------- 1 root root 12288 avril 17 10:29 messages.tdb
-rw------- 1 root root 696 avril 17 10:29 mutex.tdb
-rw-r--r-- 1 root root 5 avril 17 10:29 nmbd.pid
-rw-r--r-- 1 root root 696 avril 17 10:29
notify_onelevel.tdb
-rw-r--r-- 1 root root 696 avril 17 10:29 notify.tdb
-rw-r--r-- 1 root root 12288 avril 17 10:29 printer_list.tdb
-rw-r--r-- 1 root root 8192 avril 17 10:29 serverid.tdb
-rw-r--r-- 1 root root 696 avril 17 10:29 sessionid.tdb
-rw-r--r-- 1 root root 5 avril 17 10:29 smbd.pid
drwxr-xr-x 2 root root 60 avril 17 10:51 smb_krb5
srwxrwxrwx 1 root root 0 avril 17 10:29 unexpected
-rw-r--r-- 1 root root 5 avril 17 10:29 winbindd.pid
drwxr-x--- 2 root winbindd_priv 60 avril 17 10:29
winbindd_privileged
And the winbindd_priv group
Code :
root_at_Squid:~# cat /etc/group
winbindd_priv:x:106:proxy
Thanks to have read this big post and sorry for my bad english
Thanks for your time and you futur help
Best regards.
-- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Active-Directory-tp4665670.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Wed Apr 23 2014 - 07:51:59 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 23 2014 - 12:00:05 MDT