unix:/var/log/squid#wbinfo -p
Ping to winbindd succeeded on fd 4unix:/var/log/squid#wbinfo -t
checking the trust secret via RPC calls succeeded
unix:/var/log/squid#wbinfo -m
DOMAIN
unix:/var/log/samba#wbinfo -u
DOMAIN\username
и пр. пользователи
unix:/var/log/samba#wbinfo -g
DOMAIN\domain users
DOMAIN\domain guests
........
DOMAIN\allowinet
и пр. группы....
unix:/var/log/squid#wbinfo -n username
S-1-5-21-2458564005-3907202364-2285616218-5184 User (1)
unix:/var/log/squid#wbinfo -a domain\\username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
unix:/usr/local/var/locks#ntlm_auth --domain=DOMAIN --require-membership-of='DOMAIN\allowinet' --username=username
password:
NT_STATUS_OK: Success (0x0)
При этом в логах самбы
[2007/08/07 10:49:49, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 19
[2007/08/07 10:49:49, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[17492]: request interface version
[2007/08/07 10:49:49, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[17492]: request location of privileged pipe
[2007/08/07 10:49:49, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 20
[2007/08/07 10:49:49, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
[17492]: request misc info
[2007/08/07 10:49:49, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(103)
[17492]: lookupname DOMAIN\allowinet
[2007/08/07 10:49:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
[17492]: pam auth DOMAIN\username
[2007/08/07 10:49:49, 8] lib/util.c:is_myname(2073)
is_myname("DOMAIN") returns 0
Вроде как все хорошо....
Смотрим дальше:
unix:/usr/local/var/locks#ps -aux | grep squid
squid 16355 0,0 0,4 9912 8808 p0 S 10:08 0:00,59 squid -NsY
squid 18542 0,0 0,3 37192 5988 ?? Is 11:22 0:00,11 (squidGuard) (squidGuard)
squid 18543 0,0 0,3 37192 5988 ?? Is 11:22 0:00,10 (squidGuard) (squidGuard)
squid 18544 0,0 0,3 37192 5988 ?? Is 11:22 0:00,11 (squidGuard) (squidGuard)
squid 18545 0,0 0,3 37192 5988 ?? Is 11:22 0:00,12 (squidGuard) (squidGuard)
squid 18546 0,0 0,2 5616 3784 ?? Is 11:22 0:00,12 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18547 0,0 0,2 5616 3784 ?? Is 11:22 0:00,13 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18548 0,0 0,2 5616 3784 ?? Is 11:22 0:00,13 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18549 0,0 0,2 5616 3784 ?? Is 11:22 0:00,12 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18550 0,0 0,2 5616 3784 ?? Is 11:22 0:00,11 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18551 0,0 0,2 5616 3784 ?? Is 11:22 0:00,12 (ntlm_auth) --helper-protocol=squid-2.5-basic --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18552 0,0 0,2 5616 3784 ?? Is 11:22 0:00,11 (ntlm_auth) --helper-protocol=squid-2.5-basic --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18553 0,0 0,2 5616 3784 ?? Is 11:22 0:00,11 (ntlm_auth) --helper-protocol=squid-2.5-basic --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18554 0,0 0,2 5616 3784 ?? Is 11:22 0:00,09 (ntlm_auth) --helper-protocol=squid-2.5-basic --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 18555 0,0 0,2 5616 3784 ?? Is 11:22 0:00,10 (ntlm_auth) --helper-protocol=squid-2.5-basic --require-membership-of='DOMAIN\\allowinet' (ntlm_auth)
squid 16355 0,0 0,4 9944 8848 p0 S 10:08 0:00,95 squid -NsY
unix:/usr/local/var/locks#ls -la | grep winbindd_privileged
drwxr-x--- 2 root squid 512 7 авг 10:48 winbindd_privileged
В squid.conf:
=======================================================================================
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='DOMAIN\\allowinet'
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='DOMAIN\\allowinet'
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl squidusers proxy_auth REQUIRED
http_access allow squidusers
=======================================================================================
smb.conf
#===============================================================
#
# /usr/local/etc/smb.conf
#
#======================= Global Settings =======================
[global]
workgroup = DOMAIN
server string = Proxy Server
security = ads
hosts allow = 192.168.0.
log file = /var/log/samba/samba.log
max log size = 500
password server = pdc.domian.ru
realm = domian.ru
passdb backend = tdbsam
socket options = TCP_NODELAY
local master = no
domain master = no
preferred master = no
domain logons = no
os level = 0
display charset = koi8-r
unix charset = koi8-r
dos charset = cp866
encrypt passwords = yes
#winbind separator = \\ <- и с таким разделителем и без него...
winbind use default domain = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
=============================================================
Вроде как должно работать... А вот в броузере не работает...
В логи самбы пишется:
[2007/08/07 10:49:59, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 19
[2007/08/07 10:49:59, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[16366]: request interface version
[2007/08/07 10:49:59, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[16366]: request location of privileged pipe
[2007/08/07 10:49:59, 6] nsswitch/winbindd.c:new_connection(628)
accepted socket 20
[2007/08/07 10:49:59, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(103)
[16366]: lookupname 'DOMAIN\allowinet'
[2007/08/07 10:49:59, 5] nsswitch/winbindd_async.c:lookupname_recv2(801)
lookup_name returned an error
[2007/08/07 10:49:59, 5] nsswitch/winbindd_sid.c:lookupname_recv(116)
lookupname returned an error
[2007/08/07 10:50:00, 3] nsswitch/winbindd_sid.c:winbindd_lookupname(103)
[16366]: lookupname 'DOMAIN\allowinet'
[2007/08/07 10:50:00, 5] nsswitch/winbindd_async.c:lookupname_recv2(801)
lookup_name returned an error
[2007/08/07 10:50:00, 5] nsswitch/winbindd_sid.c:lookupname_recv(116)
lookupname returned an error
Т.е. сквид через самбу не может определить, что это за группа такая 'DOMAIN\allowinet' и кто в ней есть... Однако сама самба (если руками авторизовываться) все знает...
Если в конфиге сквида убрать --require-membership-of='DOMAIN\\allowinet' - то все замечательно работает...
Что делать? Кто виноват? Зачем и почему? И прочие вопросы....
Вариант для распечатки
Настройка Squid и других прокси серверов (Public)
(ok) on 07-Авг-07, 11:46 
