debian SQUD+SAMBA+AD win2003

Добрйдень господа. Я начал подымать Линух Debian 5.0. Уж очень хотелось проксю под уплавлением Линукса. Значит настроил Samba и kerberos samba.conf

[global]

server string = %h server

include = /etc/samba/dhcp.conf

dns proxy = no

log file = /var/log/samba/log.%m

max log size = 1000

syslog = 0

panic action = /usr/share/samba/panic-action %d

security = ads

encrypt passwords = true

passdb backend = tdbsam

obey pam restrictions = yes

unix password sync = yes

passwd program = /usr/bin/passwd %u

passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s* \spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes

winbind separator = +

winbind use default domain = yes

winbind uid = 10000-20000

winbind gid = 10000-20000

winbind enum groups = yes

winbind enum users = yes

winbind cache time = 60

workgroup = domain

[homes]

comment = Home Directories

browseable = no

read only = yes

create mask = 0700

directory mask = 0700

valid users = %S

krb5.conf:

[libdefaults] default_realm = DOMAIN

clockskew = 300

v4_instance_resolve = false

v4_name_convert = {

host = {

rcmd = host

ftp = ftp

}

plain = {

something = something-else

}

}

krb4_config = /etc/krb.conf

krb4_realms = /etc/krb.realms

kdc_timesync = 1

ccache_type = 4

forwardable = true

proxiable = true

[realms]

DOMAIN = {

kdc = SERVER.DOMAIN.RU

admin_server = SERVER.DOMAIN.RU

default_domain = DOMAIN.RU

}

[domain_realm]

.DOMAIN.RU = DOMAIN.RU

DOMAIN.RU = DOMAIN.RU

.mit.edu = ATHENA.MIT.EDU

mit.edu = ATHENA.MIT.EDU

.media.mit.edu = MEDIA-LAB.MIT.EDU

media.mit.edu = MEDIA-LAB.MIT.EDU

.csail.mit.edu = CSAIL.MIT.EDU

csail.mit.edu = CSAIL.MIT.EDU

.whoi.edu = ATHENA.MIT.EDU

whoi.edu = ATHENA.MIT.EDU

.stanford.edu = stanford.edu

.slac.stanford.edu = SLAC.STANFORD.EDU

[login]

krb4_convert = true

krb4_get_tickets = true

nsswitch.conf

passwd: files winbind

passwd_compat: nis

group: files winbind

group_compat: nis

shells: files

shadow: compat

hosts: files dns

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis

При

khronos:/home/alex# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin@DOMAIN.RU

Valid starting Expires Service principal

02/26/10 09:21:29 02/26/10 19:22:21 krbtgt/DOMAIN.RU@DOMAIN.RU

renew until 02/27/10 09:21:29

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

при

#>wbinfo -g

#>wbinfo -u

Выдает группы и пользователей домена

при

khronos:/home/alex# id user1

uid=10000(user1) gid=10002(domain users) группы=10002(domain users),10007(client_admins),10008(consultant plus users),10009(newproxy),10010(domain admins),10011(podr — oasu — adm),10012(smsmse admins),10013(podr — oasu),10014(ultravnc_full_control),10015(exchange public folder administrators),10016(tq_unlim),10017(exchange recipient administrators),10006(olimp_ftp),10018(exchange view-only administrators),10019(exchange organization administrators),10020(enterprise admins),10021(пользователи vpn- озна),10022,10023,10024,10025,10026,10003,10027,10028(newolimp),10005(certsvc_dcom_access),10001(BUILTIN\users),10000(BUILTIN\administrators)

squd.conf

auth_param ntlm program /usr/bin/ntlm_auth --helper- protocol=squid-2.5-ntlmssp auth_param ntlm children 10

#auth_param ntlm max_challenge_reuses 0

#auth_param ntlm max_challenge_lifetime 2 minutes

#auth_param ntlm use_ntlm_negotiate off

auth_param basic program /usr/bin/ntlm_auth --helper- protocol=squid-2.5-basic auth_param basic children 5

auth_param basic realm Domain Proxy Server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

authenticate_cache_garbage_interval 10 seconds

authenticate_ttl 0 seconds

acl all src all #Разрешить весь трафик со все сети

acl foo proxy_auth REQUIRED

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8

acl vl140 src 172.16.140.0/255.255.255.0 #Разрешить весь трафик с 140- го Вилана

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 # https

acl SSL_ports port 563 # snews

acl SSL_ports port 873 # rsync

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 631 # cups

acl Safe_ports port 873 # rsync

acl Safe_ports port 901 # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow foo

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_reply_access allow foo

icp_access allow localnet

icp_access deny all

khronos:/var/run/samba# ls -l | grep winbindd

-rw-r--r-- 1 root root 5 Фев 26 08:28 winbindd.pid

drwxr-xrwx 2 root winbindd_priv 4096 Фев 26 08:28 winbindd_privileged

Но при аунтефикации вылетает окно запроса пароля и логина, ввожу свой рабочий логин и пароль. ничего не происходит и снова вылетает окно запроса. при чем в логах:

Login for user [domain]\[unser1]@[NAMECOMP] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/$

[2010/02/26 10:19:20, 0] utils/ ntlm_auth.c:manage_squid_ntlmssp_request(817) NTLMSSP BH: NT_STATUS_ACCESS_DENIED

2010/02/26 10:19:20| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

Не понятно в чем дело, господа помогите разобраться?