Тема: SQUID+SAMS +Rejik (NTLM) Не пропускает трафик
Прошу прощения если не в том разделе. Ситуация такова, делал
по мануалу лисяры шлюз, с авторизацией по НТЛМ. Но он пропускает ничего.
Контроллер домена - Win2008R2 (IP 192.168.0.4 , domen.klm.trade)
uname -a
shlz.KLM.Trade 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 [email protected]:/usr/obj/usr/src/sys/GENERIC i386 В локалку: 192.168.0.8
В Мир: 192.168.2.3
wbinfo -g
wbinfo -u
показывают группы и пользователей, билет кербероза есть, комп в домене.
Версии установленного:
apache-1.3.42
php5-5.3.8
rejik-3.2.6
samba35-3.5.11
sams-1.0.5_5,1
squid-2.7.9_1
rc.conf:
gateway_enable="YES"
hostname="shlz.KLM.Trade"
inetd_enable="YES"
moused_enable="YES"
sshd_enable="YES"
ifconfig_rl0="inet 192.168.0.8 netmask 255.255.255.0"
defaulrouter="192.168.0.8"
hostname="shlz.KLM.Trade"
ntpdate_enable="YES"
ntpdate_flags="192.168.0.4"
samba_enable="YES"
apache_enable="YES"
squid_enable="YES"
mysql_enable="YES"
sams_enable="YES"
ifconfig_rl1="inet 192.168.2.3 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
hostname="shlz.KLM.Trade"
hosts:
::1 localhost.KLM.Trade localhost
127.0.0.1 localhost.KLM.Trade localhost
192.168.0.8 shlz.KLM.Trade shlz
192.168.0.8 shlz.KLM.Trade.
192.168.2.1 shlz.KLM.Trade
192.168.0.4 domen.KLM.Trade domennsswith.conf:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
resolv.conf:
domen domen.KLM.Trade
nameserver 192.168.0.4
nameserver 85.90.192.9
sams.conf:
[client]
SQUID_DB=squidlog
SAMS_DB=squidctrl
MYSQLHOSTNAME=localhost
MYSQLUSER=sams
MYSQLPASSWORD=flopik
MYSQLVERSION=5.1
SQUIDCACHEFILE=access.log
SQUIDROOTDIR=/usr/local/etc/squid
SQUIDLOGDIR=/usr/local/etc/squid/logs
SQUIDCACHEDIR=/usr/local/squid/cache
SAMSPATH=/usr/local
SQUIDPATH=/usr/local/sbin
#SQUIDGUARDLOGPATH=/var/log
#SQUIDGUARDDBPATH=/var/db/squidGuard
RECODECOMMAND=iconv -f KOI8-R -t 866 %finp > %fout
LDAPSERVER=192.168.0.4
LDAPBASEDN=KLM.TRADE
LDAPUSER=kop
LDAPUSERPASSWD=qwe
LDAPUSERGROUP=Users
REJIKPATH=/usr/local/rejik
SHUTDOWNCOMMAND=shutdown -h now
CACHENUM=0
SMB PORTS = 445
smb.conf:
[global]
workgroup = KLMTRADE
server string = Sams Server
security = domain
local master = no
preferred master = no
hosts allow = 192.168.2. 192.168.0. 127.
domain master = no
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
password server = domen.KLM.trade
realm = KLM.TRADE
dns proxy = no
display charset = utf8
unix charset = utf8
dos charset = cp866
winbind separator = +
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
В squid.conf трогалось только:
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
http_access deny all
... пропущено...
#Recommended minimum configuration per scheme:
auth_param ntlm program /usr/local/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth \
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy-Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
kerb.conf:
[libdefaults]
default_realm = KLM.TRADE
clockskew = 300
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
KLM.TRADE = {
kdc = 192.168.0.4
admin_server = 192.168.0.4
kpasswd_server = 192.168.0.4
}
[domain_realm]
.KLM.trade = KLM.TRADE
Логи Самбы:
В log.wb-BUILTIN , log.wb-KLMTRADE и log.wb-SHLZ одна и таже ошибка:
[2011/10/25 14:50:02.214641, 0] winbindd/winbindd.c:195(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=0)
log.мойкомп:
[2011/10/25 14:05:51.072253, 0] lib/util_sock.c:1441(get_peer_addr_internal)
getpeername failed. Error was Socket is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Socket is not connected.
log.windbindd
[2011/10/25 14:50:42.566016, 0] winbindd/winbindd_cache.c:3076(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
log.windbidd-idmap:
[2011/10/25 14:50:02.210388, 0] winbindd/winbindd.c:195(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=0) Больше нигде и ничего не правилось и не трогалось. Может есть очевидные ошибки по неопытности, Ваше мнение, в чем может быть загвоздка?
