Hi all,
could anyone give any suggestion for solve next problem:
I have been configured squid with Single Sign-On (kerberos+samba+ntlm)
So,commands wbinfo -t,wbinfo -p, wbinfo -u, wbinfo -g is working well (domain is KNG, realm kng.local), examples:
$wbinfo -u
KNG\ldapreader
KNG\testproxyad1
KNG\testproxyad2
$wbinfo -a kng\\ldapreader%12345678
plaintext password authentication succeeded
challenge/response password authentication succeeded
squid.conf
....
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Proxy_AD
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
...
So, when acl & http_access is next, it works:
acl users proxy_auth REQUIRED
...
http_access allow users
But, i need to give access in the internet by lists of users, so i re-edit squid config & create list:
file /etc/squid/users.acl, it contain user names:
ldapreader
testproxyad1
testproxyad2
squid.conf
...
acl users proxy_auth "/etc/squid/users.acl"
...
http_access allow users
After that, in browser squid says that "access denied",
access.log:
bla-bla-bla <IP-user> TCP_DENIED/407 1874 GET <bla-bla-bla> KNG\ldapreader NONE/- text/html
Changing file with names users.acl as this:
KNG\ldapreader
KNG\testproxyad1
KNG\testproxyad2
No result, "access denied".
Add options in smb.conf [global]
winbind separator = \
No result, "access denied".
Checking ntlm_auth (basic), well done:
$/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
kng\ldapreader 12345678
OK
Checking ntlm_auth (ntlmssp), well done:
$/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
YR
TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAA7TEzPz/FpREAAAAAAAAAAAAAAAAwAAAA
What's wrong? Why squid don't want to work with list of users?
Maybe I do not correct edit squid.conf in acl tag (acl users proxy_auth "/etc/squid/users.acl")?
Or maybe get ntlm_auth from samba source, not from squid?
Will waiting for respone.
Received on Tue Feb 07 2012 - 13:19:06 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 10 2012 - 12:00:02 MST