squid +AD

[mclaud]

Ребят помогите, замучался. Пытаюсь настоить squid на авторизацию из AD(WIN2k). Поставил самбу 3.0.14а+squid 2.5-10
bash-2.05b# cat /usr/local/etc/smb.conf
[global]
workgroup=ХХХ
server string = fire
security=domain
password server = 192.168.0.100 192.168.0.103
socket options = TCP_NODELAY
local master = no
preferred master = no
dns proxy=no
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
encrypt passwords=yes
interfaces = rl0 192.168.0.111
bind interfaces only = yes

далее присоединил к домену
bash-2.05b# wbinfo -t
checking the trust secret via RPC calls succeeded
(пользователей тоже показывает)

в СКВИДЕ
auth_param ntlm program /usr/local/libexec/ntlm_auth ХХХ\\application ХХХ\\fileserver auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2
minutes
auth_param basic program /usr/local/libexec/wb_auth
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic children 5

external_acl_type ntgroup %LOGIN /usr/local/libexec/squid/wbinfo_group.pl
acl nachalstvo external ntgroup nachalstvo
acl NTLMauth proxy_auth REQUIRED
http_access allow NTLMauth nachalstvo

а теперь большой лог сквида:(


bash-2.05b# less /var/log/squid/cache.log
2005/06/24 11:54:44| Starting Squid Cache version 2.5.STABLE10 for i386-portbld-
freebsd4.10...
2005/06/24 11:54:44| Process ID 46225
2005/06/24 11:54:44| With 2688 file descriptors available
2005/06/24 11:54:44| Performing DNS Tests...
2005/06/24 11:54:44| Successful DNS name lookup tests...
2005/06/24 11:54:44| DNS Socket created at 0.0.0.0, port 4302, FD 5
2005/06/24 11:54:44| Adding nameserver 192.168.0.101 from /etc/resolv.conf
2005/06/24 11:54:44| helperStatefulOpenServers: Starting 5 'ntlm_auth' processes
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
2005/06/24 11:54:45| helperOpenServers: Starting 5 'wb_auth' processes
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
2005/06/24 11:54:45| helperOpenServers: Starting 5 'wbinfo_group.pl' processes
2005/06/24 11:54:45| User-Agent logging is disabled.
(wb_auth)[46231](wb_basic_auth.c:160): Can't contact winbindd. Dying
2005/06/24 11:54:45| Unlinkd pipe opened on FD 25
(wb_auth)[46232](wb_basic_auth.c:160): Can't contact winbindd. Dying
(wb_auth)[46233](wb_basic_auth.c:160): Can't contact winbindd. Dying
(wb_auth)[46234](wb_basic_auth.c:160): Can't contact winbindd. Dying
(wb_auth)[46235](wb_basic_auth.c:160): Can't contact winbindd. Dying
2005/06/24 11:54:45| Swap maxSize 5120000 KB, estimated 393846 objects
2005/06/24 11:54:45| Target number of buckets: 19692
2005/06/24 11:54:45| Using 32768 Store buckets
2005/06/24 11:54:45| Max Mem  size: 16384 KB
2005/06/24 11:54:45| Max Swap size: 5120000 KB
2005/06/24 11:54:45| Rebuilding storage in /var/db/squid/cache (DIRTY)
2005/06/24 11:54:45| Using Least Load store dir selection
2005/06/24 11:54:45| Set Current Directory to /usr/local/squid/cache
2005/06/24 11:54:45| Loaded Icons.
2005/06/24 11:54:45| Accepting HTTP connections at 192.168.0.111, port 9876, FD
26.
2005/06/24 11:54:45| Accepting ICP messages at 0.0.0.0, port 3130, FD 27.
2005/06/24 11:54:45| Accepting SNMP messages on port 3401, FD 28.
2005/06/24 11:54:45| WARNING: basicauthenticator #2 (FD 13) exited
2005/06/24 11:54:45| WARNING: basicauthenticator #3 (FD 14) exited
2005/06/24 11:54:45| Too few basicauthenticator processes are running
FATAL: The basicauthenticator helpers are crashing too rapidly, need help!

Squid Cache (Version 2.5.STABLE10): Terminated abnormally.
CPU Usage: 0.084 seconds = 0.021 user + 0.063 sys
Maximum Resident Size: 5976 KB
Page faults with physical i/o: 5
fgets() failed! dying..... errno=22 (Unknown error: 0)
fgets() failed! dying..... errno=22 (Unknown error: 0)
fgets() failed! dying..... errno=22 (Unknown error: 0)
fgets() failed! dying..... errno=22 (Unknown error: 0)
fgets() failed! dying..... errno=22 (Unknown error: 0)
2005/06/24 11:54:48| Starting Squid Cache version 2.5.STABLE10 for i386-portbld-freebsd4.10...
2005/06/24 11:54:48| Process ID 46244
2005/06/24 11:54:48| With 2688 file descriptors available
2005/06/24 11:54:48| Performing DNS Tests...
2005/06/24 11:54:48| Successful DNS name lookup tests...
2005/06/24 11:54:48| DNS Socket created at 0.0.0.0, port 3334, FD 5
2005/06/24 11:54:48| Adding nameserver 192.168.0.101 from /etc/resolv.conf
2005/06/24 11:54:48| helperStatefulOpenServers: Starting 5 'ntlm_auth' processes
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
2005/06/24 11:54:48| helperOpenServers: Starting 5 'wb_auth' processes
Couldn't grok domain-controller auth_param
Couldn't grok domain-controller ntlm
Couldn't grok domain-controller children
Couldn't grok domain-controller 5
:

может кто поможет?

[mclaud]

поковырял-поковырял и нашел в чем проблема-basic аутентификация не работает. теперь проблема в другом-настроить ipfilter чтоб он разрешал трафик по 80 443 21 от прокси в интернет

[mclaud]

пришлось настроить samba аутентификаторы и разрешить исходящий трафик 80 443 21 на внешнем интерфейсе. Вопрос в том как разрешить толь сквиду посылать пакеты а самому компу-нет.

[usama]

пришлось настроить samba аутентификаторы и разрешить исходящий трафик 80 443 21 на внешнем интерфейсе. Вопрос в том как разрешить толь сквиду посылать пакеты а самому компу-нет.

Если у тебя iptables - то легко. В patch-o-matic есть расширение (да и в ядро его кажись уже включили), которое позволяет фильтровать пакеты на основнии того, какому процессу с каким uid они принадлежат. А squid-то ты наверное запускаешь от имени пользователя squid или какого другого, главное чтобы уникальным было.

[mclaud]

в том-то и тема что стоит фря+ipfilter. Не думаю что он менее гибкий

[Stranger03]

Вопрос в том как разрешить толь сквиду посылать пакеты а самому компу-нет.

В смысле не светить внутренний IP? Поставить маску 255.255.255.0 в конфиге сквида. И читать, как сделать анонимный прокси.

[mclaud]

В смысле не светить внутренний IP? Поставить маску 255.255.255.0 в конфиге сквида. И читать, как сделать анонимный прокси.

нет. Юзеры приходят на внутренний ip:3128 а сквид тех кто авторизировался перебрасывает на внешний - в итоге приходится писать правило

Код: Выделить всё

pass out proto=tcp from "external" to any port=www,ftp,https

а хотелось бы что-то вроде

Код: Выделить всё

pass out proto=tcp from "internal:3128" to any port=www,ftp,https

чтобы с самой прокси нельзя было напрямую ходить в инет

[Stranger03]

нет. Юзеры приходят на внутренний ip:3128 а сквид тех кто авторизировался перебрасывает на внешний - в итоге приходится писать правило

Хм, а зачем? Ведь насколько я помню правил должно быть 4-е.

1. Запрос внутреннего абонента на внутренний 3128
2. Ответ с 3128 внутреннему абоненту

3. Запрос сервера уже с внешнего АЙПИ
4. Ответ внешнему АЙПИ серверу

Если у вас не настроен форвардинг запросов на фаере, то это должно работать. Не совсем понимаю ваш конфиг...

[Stranger03]

И внешний адрес светится именно проксевый в запросе. В ipfw это выглядело бы как 4-е правила:

Код: Выделить всё

/sbin/ipfw add 1104 pass tcp from хх.хх.хх.хх to any 25,53,80,110,443
/sbin/ipfw add 1105 pass tcp from any 25,53,80,110,443 to хх.хх.хх.хх established

/sbin/ipfw add 1210 pass tcp from 192.168.0.0/24 to 192.168.0.13 3128
/sbin/ipfw add 1211 pass tcp from 192.168.0.13 3128 to 192.168.0.0/24 established

[mclaud]

ipfilter
bash-2.05b# cat /etc/ipf.conf
#block hack packets
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
#pass everything on loopback
pass in on lo0 all
pass out on lo0 all
#
#INTERNAL
#
#pass all outgoing from internal
pass out on rl0 all head 100
block out from 127.0.0.1/8 to any group 100
#pass incoming from intranet on internal 192.168.0.102
pass in on rl0 all head 200
block in from 127.0.0.1/8 to any group 200
#block in from 192.168.0.111/32 to any group 200
#
#EXTERNAL
#
#block all outgoing from external
block out on rl1 all head 300
block out from 127.0.0.1/8 to any group 300
block out from any to 127.0.0.1/8 group 300
block out from any to xxx group 300
pass out quick proto icmp from any to any keep state group 300
#pass mail,internet,cvs from 192.168.0.25
pass out quick proto tcp from 192.168.0.25/32 to any port = smtp flags S keep state keep frags group 300
pass out quick proto tcp from 192.168.0.25/32 to any port = ftp flags S keep state keep frags group 300
pass out quick proto tcp from 192.168.0.25/32 to any port = www flags S keep state keep frags group 300
pass out quick proto tcp from 192.168.0.25/32 to any port = 5999 flags S keep state keep frags group 300
#pass time,internet,dns from 192.168.0.100
pass out quick proto tcp from 192.168.0.100/32 to any port = ftp flags S keep state keep frags group 300
pass out quick proto tcp/udp from 192.168.0.100/32 to any port = ntp keep frags group 300
pass out quick proto tcp from 192.168.0.100/32 to any port = www flags S keep state keep frags group 300
pass out quick proto udp from 192.168.0.100/32 to any port = 53 keep state keep frags group 300
pass out quick proto tcp from 192.168.0.100/32 to any port = 53 flags S keep state keep frags group 300
#pass dns from 192.168.0.101
pass out quick proto udp from 192.168.0.101/32 to any port = 53 keep frags group 300
pass out quick proto tcp from 192.168.0.101/32 to any port = 53 flags S keep state keep frags group 300
#pass ftp, tracet
pass out quick proto tcp from 192.168.0.0/24 to any port > 1023 flags S keep state keep frags group 300
pass out quick proto udp from 192.168.0.0/24 to any port 3323 >< 33525 keep state keep frags group 300
#block hack packets
#block return-rst in log proto tcp from any to any flags S/SA group 300
pass out quick proto tcp from xxx to any port = 80 keep state keep frags group 300
#block in on rl1
block in on rl1 all head 400
block in from 127.0.0.1/8 to any group 400
block in from xxx to any group 400
pass in quick proto icmp from any to any keep state group 400
pass in quick proto tcp from any to any port = www keep state group 400
pass in quick proto tcp from any to any port = smtp keep state group 400
pass in quick proto tcp from any to any port = 443 keep state group 400
#block hack packets
#block return-rst in log proto tcp from any to any flags S/SA group 400
#block return-icmp in proto udp all group 400

ipnat
bash-2.05b# cat /etc/ipnat.conf
map rl1 192.168.0.100/32 -> xxx tcp
map rl1 192.168.0.25/32 -> xxx tcp
rdr rl0 192.168.0.0/24 port 80 -> 192.168.0.111 port 9876 tcp
rdr rl0 192.168.0.0/24 port 21 -> 192.168.0.111 port 9876 tcp
rdr rl0 192.168.0.0/24 port 443 -> 192.168.0.111 port 9876 tcp
map rl1 192.168.0.0/24 -> 212.34.41.67/32
rdr rl1 xxx port 25 -> 192.168.0.101 port 25 tcp
rdr rl1 xxx port 80 -> 192.168.0.101 port 80 tcp
rdr rl1 xxx port 443 -> 192.168.0.101 port 443 tcp

[Stranger03]

ipfilter
bash-2.05b# cat /etc/ipf.conf
#block hack packets
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

Я никогда не использовал ipfilter, врядли что-то вменяемое смогу сказать. Может кто из посетителей что скажет.