Hello, I have installed squid3 with authorisation in the windows2003 domain, with libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1. Packages squid3, samba, krb and winbind are taken from official repositories (http://ftp.ru.debian.org/debian/). The proxy clients working under WinXP with browser IE6 or IE7 pass authorisation normally, without superfluous requests of a login/password. But those who uses Mozilla Firefox browser, at visiting of the sites especially containing JavaScript scenaries, often receive request of a login, password and domain for authorisation in proxy. If this request to reject (with pressed "cancel"), the client receives standard page of cache access denied. But if after that to press to "refresh", the page is loaded without login/password request, and all works normally before occurrence of the next of authorisation request. This effect observed on the firefox browsers only. Incr. or decr. of auth_param ntlm children parameters don't helped. Configs: ###squid.conf auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param ntlm keep_alive on authenticate_cache_garbage_interval 1 minute authenticate_ttl 2 minutes authenticate_ip_ttl 2 minutes acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 81 8080 8081 # http acl Safe_ports port 21 # ftp acl Safe_ports port 5222 acl Safe_ports port 443 # https acl PURGE method PURGE acl CONNECT method CONNECT acl bad_pat_servers_ip src "/etc/squid3/acl/bad_pat_servers_ip" acl microsoft_activation dstdomain "/etc/squid3/acl/microsoft_activation" acl ip_symantec_ftp src 192.168.2.11 acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com liveupdate.symantecliveupdate.com acl good_sites dstdomain "/etc/squid3/acl/good_sites" acl bad_pattern url_regex "/etc/squid3/acl/bad_pattern" acl bad_sites dstdomain "/etc/squid3/acl/bad_sites" acl odvk url_regex "/etc/squid3/acl/odvk" acl odnokl_sites dstdomain "/etc/squid3/acl/odnokl_sites" acl odnokl_users proxy_auth "/etc/squid3/acl/odnokl_users" acl ip_users src "/etc/squid3/acl/ip_users" acl AuthUsers proxy_auth "/etc/squid3/acl/users" http_access allow manager localhost http_access deny manager http_access allow PURGE localhost http_access deny PURGE http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow microsoft_activation http_access deny bad_pat_servers_ip http_access allow ip_symantec_ftp ftp_symantec http_access allow good_sites ip_users http_access allow good_sites AuthUsers http_access allow odnokl_sites odnokl_users http_access deny bad_pattern http_access deny bad_sites http_access deny odvk http_access allow ip_users http_access allow AuthUsers http_access allow localhost http_access deny all icp_access deny all htcp_access deny all http_port 192.168.60.60:3128 hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid3 1024 16 256 access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 forwarded_for off coredump_dir /var/spool/squid3 ###smb.conf [global] workgroup = PATERSON realm = PATERSON.RU password server = SRV-MSK11 SRV-MSK12 server string = %h server wins support = yes wins server = 192.168.2.11 dns proxy = no interfaces = 192.168.60.60 eth0 log file = /var/log/samba/log.%m log level = 3 max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ads encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 case sensitive = No idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum groups = yes winbind enum users = yes winbind separator = + winbind use default domain = No [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 valid users = %S [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no Best regards, Ehenov Roman. _________________________________________________________________________ Авторский фотоальбом Андрея Оборина и Михаила Семенова http://www.oborin.ru/book/Home.html
