Настроил авторизацию в squid-е используя windows-пользователей
в домене AD.Но после загрузки winbindd, компьютер медленно реагирует на команды.
Например на ps, top вообще не запускается?
Что это может быть? Почему так winbindd грузить компьютер?
Метод аутентификации между браузером и сквидом используется - ntlm_auth
Вот вообще все настройки на FreeBSD 7.2 что касается winbindd и squid:
=============================================================================
[root@fox2] /usr/home/korenevb/> ps -axjw
USER PID PPID STAT TIME COMMAND
root 0 0 DLs 0:00.86 [swapper]
....................................
root 475 1 Is 0:00.00 /sbin/devd
root 532 1 Ss 0:00.55 /usr/sbin/syslogd -s
root 549 1 Is 0:00.26 /usr/sbin/rpcbind
root 627 1 Ss 0:08.35 /usr/sbin/ntpd -c /etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drif
root 715 1 Is 0:00.01 /usr/sbin/sshd
root 722 1 Is 0:00.79 /usr/sbin/cron -s
squid 12837 33665 S 0:00.14 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12838 33665 S 0:00.07 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12839 33665 I 0:00.06 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12840 33665 I 0:00.04 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12841 33665 I 0:00.04 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12842 33665 I 0:00.03 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12843 33665 I 0:00.03 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12844 33665 I 0:00.03 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12845 33665 I 0:00.03 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12846 33665 I 0:00.02 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp (ntlm_auth)
squid 12847 33665 I 0:00.02 (ntlm_auth) --helper-protocol=squid-2.5-basic (ntlm_auth)
squid 12848 33665 I 0:00.02 (ntlm_auth) --helper-protocol=squid-2.5-basic (ntlm_auth)
squid 12849 33665 I 0:00.02 (ntlm_auth) --helper-protocol=squid-2.5-basic (ntlm_auth)
squid 12850 33665 I 0:00.02 (ntlm_auth) --helper-protocol=squid-2.5-basic (ntlm_auth)
squid 12851 33665 I 0:00.02 (ntlm_auth) --helper-protocol=squid-2.5-basic (ntlm_auth)
squid 33663 1 Is 0:00.00 /usr/local/sbin/squid -D
squid 33665 33663 S 0:27.81 (squid) -D (squid)
squid 33681 33665 I 0:00.00 (unlinkd) (unlinkd)
root 34001 715 Is 0:00.65 sshd: korenevb [priv] (sshd)
korenevb 34014 34001 I 0:15.02 sshd: korenevb@ttyp1 (sshd)
root 38004 715 Is 0:00.06 sshd: korenevb [priv] (sshd)
korenevb 38006 38004 S 0:00.51 sshd: korenevb@ttyp0 (sshd)
mailnull 49457 1 Is 0:00.19 /usr/local/sbin/exim -bd -q30m (exim-4.75-0)
root 51424 1 Ss 18:43.17 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf
root 51425 51424 S 0:17.55 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf
root 51426 51424 I 0:01.70 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf
root 763 1 Is 0:00.05 login [pam] (login)
root 786 763 I+ 0:00.03 -csh (csh)
....................................
[root@fox2] /usr/home/korenevb/>
=============================================================================
[root@fox2] /usr/home/korenevb/> cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.8.1 2009/04/15 03:14:26 kensmith Exp $
#
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
[root@fox2] /usr/home/korenevb/>
=============================================================================
[root@fox2] /usr/home/korenevb/> cat /etc/krb5.conf
[libdefaults]
default_realm = MSK.DOMAIN.LOC
clockskew = 300
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
MSK.DOMAIN.LOC = {
kdc = dc1.msk.domain.loc
admin_server = dc1.msk.domain.loc
}
OTHER.REALM = {
v4_instance_convert = {
kerberos = kerberos
computer = computer.some.other.domain
}
}
[domain_realm]
.msk.domain.loc = MSK.DOMAIN.LOC
msk.domain.loc = MSK.DOMAIN.LOC
;[logging]
; kdc = FILE:/var/log/kdc.log
; admin_server = FILE:/var/log/kadmin.log
; default = FILE:/var/log/krb5lib.log
[root@fox2] /usr/home/korenevb/>
=============================================================================
[root@fox2] /usr/home/korenevb/> cat /usr/local/etc/smb.conf
[global]
;bind interfaces only = yes
;interfaces = 127.0.0.1/8 10.1.102.200/24
winbind separator = +
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/sh
workgroup = MSK
server string = FOX2 samba serveR
security = ads
; guest account = pcguest
log file = /var/log/samba34/log.%m
log level = 3 passdb:5 auth:10 winbind:9
max log size = 50
password server = dc1.msk.domain.loc
realm = msk.domain.loc
; passdb backend = tdbsam
; include = /usr/local/etc/smb.conf.%m
socket options = TCP_NODELAY
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[root@fox2] /usr/home/korenevb/>
=============================================================================
[root@fox2] /usr/home/korenevb/> cat /usr/local/etc/squid/squid.conf
# WELCOME TO SQUID 2.7.STABLE6
# ----------------------------
#
....................................
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 1443 2443 9091
acl Safe_ports port 80-83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 1443 # https, snews, migom
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080-8083 # http
acl Safe_ports port 8100-8183 # http
acl Safe_ports port 3128 # squid
acl Safe_ports port 1400 # bss
acl Safe_ports port 2443 # bss
acl Safe_ports port 8020 # bss
acl Safe_ports port 5051 # mts
acl Safe_ports port 910 # CronosPort
acl CONNECT method CONNECT
acl local-servers dstdomain .domain.loc
acl sirius src 10.2.1.69 10.2.1.63
acl NTLMauth proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow sirius NTLMauth
http_access deny sirius
# And finally deny all other access to this proxy
http_access deny all
access_log /usr/local/squid/logs/access.log squid
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
logfile_rotate 1
never_direct deny local-servers
never_direct allow all
=============================================================================
Вариант для распечатки
(??) on 18-Апр-11, 21:58 
