kadaber
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору всем доброго времени суток) есть вопрос по SquidNT 2.7-STABLE8 хотелось бы сделать ntlm авторизацию в существующем домене squid.conf Цитата: # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- auth_param ntlm program c:/squidnt/libexec/mswin_ntlm_auth.exe -d auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program c:/squidnt/libexec/mswin_auth.exe -d -O DOMAIN auth_param basic children 5 auth_param basic realm Corporate SQUID Proxy-Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off # ACCESS CONTROLS # ----------------------------------------------------------------------------- external_acl_type win_group children=5 negative_ttl=0 %LOGIN c:/squidnt/libexec/mswin_check_ad_group.exe -d -G acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #acl localnet src "c:/squidnt/etc/acl/localnet.txt" #acl no_auth_ip src "c:/squidnt/etc/acl/no_auth_ip.txt" #acl blocksites url_regex -i "c:/squidnt/etc/acl/blocksites.txt" acl allow_users external win_group ProxyUsers acl password proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow allow_users http_access deny all | на контроллере домена создана группа ProxyUsers, в которой есть пользователь но не отрабатывает по ntlm авторизации в cache.log видим Цитата: mswin_ntlm_auth[2632]: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from Squid mswin_ntlm_auth[2632]: attempting SSPI challenge retrieval mswin_ntlm_auth[2632]: Got it mswin_ntlm_auth[2632]: sending 'TT TlRMTVNTUAACAAAADAAMADgAAAAFgomiPe2arY9WN+sAAAAAAAAAAJ4AngBEAAAABgBxFwAAAA9CAEEAUgBFAE4ATwACAAwAQgBBAFIARQBOAE8AAQAYAFMAUgBWADIASwA4AEcAQQBSAEEATgBUAAQAFABiAGEAcgBlAG4AbwAuAGMAbwBtAAMALgBzAHIAdgAyAGsAOABnAGEAcgBhAG4AdAAuAGIAYQByAGUAbgBvAC4AYwBvAG0ABQAUAGIAYQByAGUAbgBvAC4AYwBvAG0ABwAIAOrp9iBd8coBAAAAAA==' to squid mswin_ntlm_auth[2632]: Got 'KK TlRMTVNTUAADAAAAGAAYAIgAAABaAVoBoAAAAAwADABYAAAAFgAWAGQAAAAOAA4AegAAAAAAAAD6AQAABYKIogYBsB0AAAAPqzNQR5qfFYBUuUsZ420lqUIAQQBSAEUATgBPAGIAYQByAGQAYQBrAGgAYQBuAG8AdgBUAEUAQwBIAEEARABNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbHqzDR2wWdNwvnu4EEVIkBAQAAAAAAAOrp9iBd8coBUArUiOSJCFUAAAAAAgAMAEIAQQBSAEUATgBPAAEAGABTAFIAVgAyAEsAOABHAEEAUgBBAE4AVAAEABQAYgBhAHIAZQBuAG8ALgBjAG8AbQADAC4AcwByAHYAMgBrADgAZwBhAHIAYQBuAHQALgBiAGEAcgBlAG4AbwAuAGMAbwBtAAUAFABiAGEAcgBlAG4AbwAuAGMAbwBtAAcACADq6fYgXfHKAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAwAABKKAk590FWF/FDGMJ4T6ZMHhaNAeswUoK1P/hnwPKFBQoAEAAAAAAAAAAAAAAAAAAAAAAACQA0AEgAVABUAFAALwByAHUALgBzAHQAYQByAHQAMwAuAG0AbwB6AGkAbABsAGEALgBjAG8AbQAAAAAAAAAAAAAAAAA=' from Squid mswin_ntlm_auth[2632]: checking domain: 'DOMAIN', user: 'user' mswin_ntlm_auth[2632]: Login attempt had result 0 mswin_ntlm_auth[2632]: sending 'NA Параметр задан неверно.' to squid | так отрабатывает basic авторизация: Цитата: /mswin_check_ad_group.exe[1124]: Got 'DOMAIN%5Cuser ProxyUsers' from Squid (length: 31). /mswin_check_ad_group.exe[1124]: Valid_Global_Groups: checking group membership of 'DOMAIN\user'. /mswin_check_ad_group.exe[1124]: My_NameTranslate: DOMAIN\user translated to CN= /mswin_check_ad_group.exe[1124]: My_NameTranslate: DOMAIN\ProxyUsers translated to CN=ProxyUsers,CN=Builtin,DC=DOMAIN,DC=com /mswin_check_ad_group.exe[1124]: My_NameTranslate: S-1-5-21-192570873-1330961744-2146681956-512 translated to CN= /mswin_check_ad_group.exe[1124]: Get_primaryGroup: Primary group DN: CN=. /mswin_check_ad_group.exe[1124]: Windows group: CN=, Squid group: CN=ProxyUsers,CN=Builtin,DC=DOMAIN,DC=com /mswin_check_ad_group.exe[1124]: Windows group: CN=, Squid group: CN=ProxyUsers,CN=Builtin,DC=DOMAIN,DC=com /mswin_check_ad_group.exe[1124]: Windows group: CN=, Squid group: CN=ProxyUsers,CN=Builtin,DC=DOMAIN,DC=com /mswin_check_ad_group.exe[1124]: Windows group: CN=ProxyUsers,CN=Builtin,DC=DOMAIN,DC=com, Squid group: CN=ProxyUsers,CN=Builtin,DC=DOMAIN,DC=com /mswin_check_ad_group.exe[1124]: sending 'OK' to squid | по идее ругается на Цитата: mswin_ntlm_auth[2632]: sending 'NA Параметр задан неверно.' to squid | но как там тогда задавать? по умолчанию отдается DOMAIN\user .. |