[es] - Squid i ntlm authentification na AD

gristic
Goran Ristic
Nis

Član broj: 27204
Poruke: 121
*.static.isp.telekom.rs.

Profil

^{23.02.2012. u 12:54 - pre 148 meseci}

Pozdrav svima

Imam sledeću situaciju:
-AD na Win SBS 2003 sa 40 windows radnih stanica i toliko korisnika.
-Fedora 16 kao proxy ( squid 3.2.0.13, samba 3.6.3-78.fc16).

Fedora sam pridružio domenu, i kroz konzolu sve radi kako treba, vidim sve korisnike u domenu, grupe, sa ntlm_auth i helperom uspem da autentifikujem korisnika.
Međutim, u browserima mi stalno traži da unesem username i password, i ako unesem validne podatke on mi stalno vraća formu za unos user/pass i na kraju mi da access denied.

Ovo je podešavanje squida:

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 995
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 110 # POP3
acl Safe_ports port 587 # SMTP
acl Safe_ports port 995
acl CONNECT method CONNECT

################## ACL for Radio / Video Stream ###########################
acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$
################## ACL for Radio / Video Stream ###########################

#################### Rules to block Radio / Video Stream #################
http_access deny StreamingRequest1 all
http_access deny StreamingRequest2 all
http_access deny StreamingRequest3 all
http_access deny StreamingRequest4 all

http_reply_access deny StreamingReply1 all
http_reply_access deny StreamingReply2 all
http_reply_access deny StreamingReply3 all
http_reply_access deny StreamingReply4 all
#################### Rules to block Radio / Video Stream #################

acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access deny deny_rep_mime_shockwave

#streaming files
http_access deny fails
http_reply_access deny fails
http_access deny fails2
http_reply_access deny fails2
http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2

http_access allow localhost manager
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param ntlm use_ntlm_negotiate on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated

acl denyThis dstdomain '/etc/squid/acl.txt'
acl filehosting dstdomain '/etc/squid/filehosting.txt'
acl filesharing dstdomain '/etc/squid/filesharing.txt'
acl social dstdomain '/etc/squid/social.txt'
acl warez dstdomain '/etc/squid/warez.txt'

http_access deny denyThis
http_access deny filehosting
http_access deny filesharing
http_access deny social
http_access deny warez

acl extndeny url_regex -i "/etc/squid/extndeny"
acl download method GET

http_access deny extndeny download
http_access deny extndeny

acl gtalk url_regex -i ^http:////mail.google.com/mail/channel/bind
http_access deny gtalk

tcp_outgoing_address 192.168.107.4

always_direct allow localnet
never_direct allow all

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128

cache_dir ufs /var/spool/squid 100 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log

U čemu je problem pa mi ne prolazi autentifikacija

Odgovor na temu