LINUX.ORG.RU

Сообщения moroz-vl

 

kerberos авторизация, браузер запрашивает пароль

Добрый день. squid 3.1 centos 6 Добавил kerberos авторизацию. В логах наблюдаю следующее:

 tail -f /var/log/squid/cache.log
2015/03/05 09:48:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:48:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:48:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:48:58| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:49:03| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:49:08| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:49:13| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:49:18| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:49:23| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2015/03/05 09:49:28| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
squid.conf
# Squid normally listens to port 3128
http_port 3128

visible_hostname srv-proxy.domain.local

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on «localhost» is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl AUTH proxy_auth REQUIRED


################################################################################
### AD команды для подключения к группам AD2008R2 ###
################################################################################
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R -D squid@domain.local -w Пароль -b "dc=domain,dc=local" -f "(&(objectclass=person) (sAMAccountName=%v)(memberof=cn=%a,ou=proxy,ou=Group,ou=HK,dc=domain,dc=local))" -h 10.10.10.10
################################################################################

################################################################################
### Листы доступа и блокировок по группам из AD2008R2 ###
################################################################################

# (лист доступа пользователей из группы tmn-user_admin находящаяся в AD2008R2)
acl tmn-user_admin external ldap_group tmn-user_admin

# (полный доступ по ИП )
#acl tmn-user_admin url_regex  "etc/squid/rules/inet-mac.txt"

# (лист доступа пользователей из группы tmn-user_proxy находящаяся в AD2008R2)
acl tmn-user_proxy external ldap_group tmn-user_proxy

# (лист доступа пользователей из группы tmn-user_socseti находящаяся в AD2008R2)
acl tmn-user_socseti external ldap_group tmn-user_socseti

# (лист доступа пользователей по MAС-адресу)
acl inet-mac arp "/etc/squid/rules/inet-mac.txt"

# (лист блокировки по списку URL)
acl url-block url_regex "/etc/squid/rules/url-block.txt"

# (лист блокировки по списку расширений файлов)
acl block-extension url_regex -i "/etc/squid/rules/block-extension.txt"

# (блокировка стрим потоков)
acl media rep_mime_type -i ^audio/.*$
acl media rep_mime_type -i ^video/.*$
acl media rep_mime_type -i ^video/x-flv$
acl media rep_mime_type -i ^application/x-shockwave-flash$
acl media rep_mime_type -i ^application/octet-stream$

# (разрешаем все для группы tmn-user_admin)
http_access allow AUTH tmn-user_admin

# (разрешаем все для группы inet-mac)
http_access allow AUTH inet-mac

# (запрещаем группе tmn-user_proxy список url-block)
http_access deny tmn-user_proxy url-block

# (запрещаем группе tmn-user_proxy список block-extension)
http_access deny tmn-user_proxy block-extension

# (запрещаем группе tmn-user_proxy список media)
http_reply_access deny tmn-user_proxy media

# (разрешаем группе tmn-user_proxy все, что осталось)
http_access allow AUTH tmn-user_proxy

################################################################################

# And finally deny all other access to this proxy
http_access deny all

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

 ,

moroz-vl
()

ошибка при кончигурированиии negotiate_wrapper-1.0.1

Не могу понять что ей надо

[root@srv-proxy negotiate_wrapper-1.0.1]# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking stdio.h usability... yes
checking stdio.h presence... yes
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking time.h usability... yes
checking time.h presence... yes
checking for time.h... yes
checking for unistd.h... (cached) yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking for SQUID at '../../..' ... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating nw_config.h
config.status: executing depfiles commands
configure: updating nw_config.h
make
[root@srv-proxy negotiate_wrapper-1.0.1]# make
make  all-recursive
make[1]: Entering directory `/home/negotiate_wrapper-1.0.1'
make[2]: Entering directory `/home/negotiate_wrapper-1.0.1'
gcc -DHAVE_CONFIG_H -I.   -I../../../ -I../../../include -I../../../src   -g -O2 -MT negotiate_wrapper.o -MD -MP -MF .deps/negotiate_wrapper.Tpo -c -o negotiate_wrapper.o negotiate_wrapper.c
mv -f .deps/negotiate_wrapper.Tpo .deps/negotiate_wrapper.Po
gcc  -g -O2  -L../../../lib -L../../../lib/.libs -o negotiate_wrapper negotiate_wrapper.o base64.o
make[2]: Leaving directory `/home/negotiate_wrapper-1.0.1'
make[1]: Leaving directory `/home/negotiate_wrapper-1.0.1'
[root@srv-proxy negotiate_wrapper-1.0.1]#

squid -v

[root@srv-proxy negotiate_wrapper-1.0.1]# squid -v
Squid Cache: Version 3.1.10
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.10

Подскажите куда копать, если нужны дополнительные сведения предоставлю.

 ,

moroz-vl
()

RSS подписка на новые темы