Добрйдень господа. Я начал подымать Линух Debian 5.0. Уж очень хотелось проксю под уплавлением Линукса. Значит настроил Samba и kerberos
samba.conf
[global]
server string = %h server
include = /etc/samba/dhcp.conf
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*
\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
winbind separator = +
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind cache time = 60
workgroup = domain
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
krb5.conf:
[libdefaults]
default_realm = DOMAIN
clockskew = 300
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
DOMAIN = {
kdc = SERVER.DOMAIN.RU
admin_server = SERVER.DOMAIN.RU
default_domain = DOMAIN.RU
}
[domain_realm]
.DOMAIN.RU = DOMAIN.RU
DOMAIN.RU = DOMAIN.RU
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
[login]
krb4_convert = true
krb4_get_tickets = true
nsswitch.conf
passwd: files winbind
passwd_compat: nis
group: files winbind
group_compat: nis
shells: files
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
При
khronos:/home/alex# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DOMAIN.RU
Valid starting Expires Service principal
02/26/10 09:21:29 02/26/10 19:22:21 krbtgt/DOMAIN.RU@DOMAIN.RU
renew until 02/27/10 09:21:29
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
при
#>wbinfo -g
#>wbinfo -u
Выдает группы и пользователей домена
при
khronos:/home/alex# id user1
uid=10000(user1) gid=10002(domain users) группы=10002(domain
users),10007(client_admins),10008(consultant plus users),10009(newproxy),10010(domain admins),10011(podr — oasu —
adm),10012(smsmse admins),10013(podr — oasu),10014(ultravnc_full_control),10015(exchange public folder
administrators),10016(tq_unlim),10017(exchange recipient administrators),10006(olimp_ftp),10018(exchange view-only
administrators),10019(exchange organization administrators),10020(enterprise admins),10021(пользователи vpn-
озна),10022,10023,10024,10025,10026,10003,10027,10028(newolimp),10005(certsvc_dcom_access),10001(BUILTIN\users),10000(BUILTIN\administrators)
squd.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-
protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-
protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl all src all #Разрешить весь трафик со все сети
acl foo proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl vl140 src 172.16.140.0/255.255.255.0 #Разрешить весь трафик с 140-
го Вилана
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow foo
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_reply_access allow foo
icp_access allow localnet
icp_access deny all
khronos:/var/run/samba# ls -l | grep winbindd
-rw-r--r-- 1 root root 5 Фев 26 08:28 winbindd.pid
drwxr-xrwx 2 root winbindd_priv 4096 Фев 26 08:28 winbindd_privileged
Но при аунтефикации вылетает окно запроса пароля и логина, ввожу свой
рабочий логин и пароль. ничего не происходит и снова вылетает окно запроса. при чем в логах:
Login for user [domain]\[unser1]@[NAMECOMP] failed due to [winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/$
[2010/02/26 10:19:20, 0] utils/
ntlm_auth.c:manage_squid_ntlmssp_request(817)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2010/02/26 10:19:20| authenticateNTLMHandleReply: Error validating
user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
Не понятно в чем дело, господа помогите разобраться?