Добрый день. Настроил в сквиде керберос аунтефикацию, но пользователей не пускает никуда, страницы очень долго грузяться. Версия сквида:
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/tmp/buildd/squid3-3.1.20
Кусок конфига где идет креберос аунтефикация:
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/vs-msk00-prx05.ylrus.com@YLRUS.COM
auth_param negotiate children 20
auth_param negotiate keep_alive on
перед этим сделал кейтаб для пользователя HTTP/vs-msk00-prx05.ylrus.com@YLRUS.COM, дал на него права пользователю, от которого запускается сквид.
в cache.log сыпиться вот такое чудо:
2014/08/22 10:06:10| squid_kerb_auth: DEBUG: Got 'YR YIIHJQYGKwYBBQUCoIIHGTCCBxWgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBt8Eggb
2014/08/22 10:06:10| squid_kerb_auth: DEBUG: Decode 'YIIHJQYGKwYBBQUCoIIHGTCCBxWgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBt8Eggb$
2014/08/22 10:06:10| squid_kerb_auth: DEBUG: AF oYGgMIGdoAMKAQChCwYJKoZIhvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWpoGf7r5dFaH$
2014/08/22 10:06:34| squid_kerb_auth: DEBUG: Got 'YR YIIHJQYGKwYBBQUCoIIHGTCCBxWgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBt8Eggb$
from squid (length: 2447).
(decoded length: 1833).
вот сам krb5.conf
[appdefaults]
pam = {
debug = false
alt_auth_map = %s
force_alt_auth = true
ticket_lifetime = 24h
renew_lifetime = 24h
forwardable = true
krb4_convert = false
}
[libdefaults]
default_realm = YLRUS.COM
ticket_lifetieme = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
ccache_type = 4
forwardable = yes
rdns = no
# proxiable = true
default_keytab_name = /etc/proxy.keytab
default_tgs_enctypes = des-cbc-crc rc4-hmac des-cbc-md5
default_tkt_enctypes = des-cbc-crc rc4-hmac des-cbc-md5
permitted_enctypes = des-cbc-crc rc4-hmac des-cbc-md5
clock_skew = 300
[realms]
YLRUS.COM = {
kdc = S-MSK00-GDC01.YLRUS.COM
kdc = S-MSK01-DC01.YLRUS.COM
admin_server = S-MSK00-GDC01.YLRUS.COM
admin_server = S-MSK00-GDC01.YLRUS.COM
default_domain = YLRUS.COM
}
[domain_realm]
.ylrus.com = YLRUS.COM
ylrus.com = YLRUS.COM
[logging]
default = FILE:/var/log/krb5lib.log
kinit -V -k -t /etc/proxy.keytab HTTP/vs-msk00-prx05.ylrus.com
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/vs-msk00-prx05.ylrus.com@YLRUS.COM
Using keytab: /etc/proxy.keytab
Authenticated to Kerberos v5
