Search squid archive

Squid Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First, hi to everybody
 
I explain my problem:

I have a AD windows server 2008, a debian 7 with squid, samba, winbind, and
a xp client for test
My debian was in the AD and the connexion test was OK

Code :
    root@Squid:~# net ads testjoin
    Join is OK

Code :
    root@Squid:~# ntlm_auth --username=admin
    password:
    NT_STATUS_OK: Success (0x0)

Code :
    root@Squid:~# /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
--username=administrateur
    password:
    NT_STATUS_OK: Success (0x0)

The squid server recovered the info from the AD

Code :
    root@Squid:~# wbinfo -g
    ordinateurs du domaine
    contrôleurs de domaine
    administrateurs du schéma
    administrateurs de l’entreprise
    éditeurs de certificats
    admins du domaine
    utilisateurs du domaine
    invités du domaine
    propriétaires créateurs de la stratégie de groupe
    serveurs ras et ias
    groupe de réplication dont le mot de passe rodc est autorisé
    groupe de réplication dont le mot de passe rodc est refusé
    contrôleurs de domaine en lecture seule
    contrôleurs de domaine d’entreprise en lecture seule
    dnsadmins
    dnsupdateproxy
    test

    root@Squid:~# wbinfo -u
    administrateur
    invité
    krbtgt
    test2
    #

On the XP when i do the ad to the gateway i don't have access to the net,
when i put the proxy i have.
 
When i do the second solution (Proxy for GTW)

When i open a session with my ad user and i launch firefox or IE, the
navigator ask me login and password (when i tip the id and pass that work).
Normally the windows login don't appear and squid ask AD to request if the
ad user have the right.

It is as it were the user not recognized.

Here my squid.conf
Code :

    root@Squid:~# cat /etc/squid3/squid.conf
    ######Authentification
    auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm TEST
    ####DEFINITION DES ACCESS CONTROL LIST###################
    acl ntlm proxy_auth REQUIRED
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl test src 192.168.10.0/24
    acl jeux dstdom_regex "/etc/squid3/jeux"
    ##############LISTE DES AUTORISATIONS#################
    http_access deny jeux
    http_access allow manager localhost
    http_access allow manager
    http_access allow !Safe_ports
    http_access allow CONNECT !SSL_ports
    http_access allow localhost
    http_access allow test ntlm
    http_access deny all
    ############# PORT D’ECOUTE DU PROXY ################
    http_port 8080
    ############ EMPLACEMENT DU FICHIER DE LOG #########
    access_log /var/log/squid3/access.log
    ########### REPERTOIRE DE CACHE ####################
    cache_effective_user proxy
    #cache_effective_group proxy
    cache_effective_group root
    cache_dir ufs /var/spool/squid3 200 16 256
    cache_mem 16 MB
    maximum_object_size 15 MB
    ########## Tampon DNS ########
    positive_dns_ttl 8 hours
    negative_ttl 4 minutes
    append_domain .TEST.LOCAL
    ########## UTILISATION DE SQUIDGUARD REDIRECTION ###
    #url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
    #url_rewrite_children 5


 
The krb5.conf
Code :

    [libdefaults]
            default_realm = TEST.LOCAL
            clock_skew = 300
            ticket_lifetime = 24000
            dns_lookup_realm = false
            dns_lookup_kdc = true
    [realms]
            TEST.LOCAL = {
                    kdc = SRV08AD.TEST.LOCAL
                    admin_server = SRV08AD.TEST.LOCAL
    #               default_domain = TEST.LOCAL
                    }
    [domain_realm]
            .domainead = TEST.LOCAL
            domainead = TEST.LOCAL
    [logging]
           default = FILE:/var/log/krb5libs.log
           kdc = FILE:/var/log/krb5kdc.log
           admin_server = FILE:/var/log/ksadmind.log


 
And the smb.conf

root@Squid:~# cat /etc/samba/smb.conf
[global]
   workgroup = TEST
   realm = TEST.LOCAL
   security = ads
   encrypt passwords = yes
 
   password server = SRV08AD.TEST.LOCAL
 
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes


 
Right on /var/run/samba/

Code :
    root@Squid:~# ls -l /var/run/samba/
    total 976
    -rw-r--r-- 1 root root           40200 avril 17 10:29 brlock.tdb
    -rw-r--r-- 1 root root             696 avril 17 10:29 connections.tdb
    -rw-r--r-- 1 root root          425984 avril 17 10:49
gencache_notrans.tdb
    -rw-r--r-- 1 root root          425984 avril 17 10:49 gencache.tdb
    -rw-r--r-- 1 root root           40200 avril 17 10:29 locking.tdb
    -rw------- 1 root root           12288 avril 17 10:29 messages.tdb
    -rw------- 1 root root             696 avril 17 10:29 mutex.tdb
    -rw-r--r-- 1 root root               5 avril 17 10:29 nmbd.pid
    -rw-r--r-- 1 root root             696 avril 17 10:29
notify_onelevel.tdb
    -rw-r--r-- 1 root root             696 avril 17 10:29 notify.tdb
    -rw-r--r-- 1 root root           12288 avril 17 10:29 printer_list.tdb
    -rw-r--r-- 1 root root            8192 avril 17 10:29 serverid.tdb
    -rw-r--r-- 1 root root             696 avril 17 10:29 sessionid.tdb
    -rw-r--r-- 1 root root               5 avril 17 10:29 smbd.pid
    drwxr-xr-x 2 root root              60 avril 17 10:51 smb_krb5
    srwxrwxrwx 1 root root               0 avril 17 10:29 unexpected
    -rw-r--r-- 1 root root               5 avril 17 10:29 winbindd.pid
    drwxr-x--- 2 root winbindd_priv     60 avril 17 10:29
winbindd_privileged

And the winbindd_priv group

Code :
    root@Squid:~# cat /etc/group
    winbindd_priv:x:106:proxy

Thanks to have read this big post and sorry for my bad english
Thanks for your time and you futur help
Best regards.




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Active-Directory-tp4665670.html
Sent from the Squid - Users mailing list archive at Nabble.com.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux