My access.log, in that case, shows a TCP_DENIED/407 as expected. * The popup means the browser was unable to find credentials to answer the 407 with. Users in group Bloqueados may be prompted for a popup until they enter somebody elses credentials, who is not in that group.Add " all" to the right hand end of the "deny AD_Bloqueados" line to prevent that. You have not configued your Squid to offer Kerberos. If the client is pre-empting the initial 407, by sending Kerberos credentials. FYI: Basic authentication is ironically more secure than NTLM these days.Therefore it is not an option the client can choose, and not part of the equation. Even the "secure" NTLMv2 extensions can now be decrypted given a few hours.

dating sites in the caribbean - Squid error validating user via ntlm

Error returned 'BH gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible..

unknown mech-code 0 for mech unknown'а как быть если нужно вывести через роутер в интернет несколько сетей с доменами?

Make sure does not have a cache_effective_group defined and add wbpriv as a supplementary group to the user Squid runs under: -- init_password: Wiping the computer password structure -- finalize_exec: Determining user principal name -- finalize_exec: User Principal Name is: HTTP/squid. auth http_access deny blacklists http_access allow VIPS allowedlists http_access allow VIPS auth http_access allow Full Access Log allowedlists http_access allow Full Access Log auth http_access allow allowedlists http_access allow Restricted Access Log auth ####### logging access_log /var/log/squid/squid ####### squid defaults http_access deny all hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?

Please clarify your specific problem or add additional details to highlight exactly what you need.

As it's currently written, it’s hard to tell exactly what you're asking.

DNS Configuration On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. LOCAL dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] EXAMPLE. LOCAL --smbservers=ads.example.local --smbworkgroup=EXAMPLE \ --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=EXAMPLE. LOCAL security = ads idmap config * : range = 16777216-33554431 winbind separator = template shell = /bin/false winbind use default domain = true winbind offline logon = false #--authconfig--end-line-- ; workgroup = EXAMPLE kerberos method = dedicated keytab dedicated keytab file = /etc/squid/PROXY.keytab #dedicated keytab file = /etc/krb5.keytab ; realm = IFOX. for my proxy server to have access in windows AD users and groups.

Check that the proxy is using the Windows DNS Server for name resolution and update /etc/accordingly. LOCAL \ --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator=" " \ --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \ --winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall #--authconfig--start-line-- # Generated by authconfig on 2013/08/09 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = EXAMPLE password server = dc01. GE ; security = ads winbind enum groups = Yes winbind enum users = Yes idmap config * : range = 10000 - 20000 idmap config * : backend = tdb idmap config example : backend = tdb idmap config example : range = 20000 - 20000000 map untrusted to domain = Yes client ntlmv2 auth = Yes client lanman auth = No winbind normalize names = No ; winbind separator = / ; winbind use default domain = yes winbind nested groups = Yes winbind nss info = rfc2307 winbind reconnect delay = 30 ; winbind offline logon = true winbind cache time = 1800 winbind refresh tickets = true allow trusted domains = Yes server signing = auto client signing = auto lm announce = No ntlm auth = no lanman auth = No preferred master = No wins support = No encrypt passwords = yes ; password server = 10.0.11.50 printing = bsd load printers = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 The default permissions for /var/cache/samba/winbindd_privileged in RHEL/Cent OS 5.4 were 750 root:squid (which worked by default) but are now 750 root:wbpriv in 5.5 which doesn't allow the user Squid runs under to access the socket. LOCAL -- create_fake_krb5_conf: Created a fake krb5file: /tmp/.mskt-16875krb5-- get_krb5_context: Creating Kerberos Context -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-16875krb5_ccache -- try_machine_keytab: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab: Unable to authenticate using the local keytab -- try_ldap_connect: Connecting to LDAP server: dc01.example.local -- try_ldap_connect: Connecting to LDAP server: dc01.example.local SASL/GSSAPI authentication started Error: ldap_set_option failed (Local error) Error: ldap_connect failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure ####### /etc/squid/Configuration File ####### ####### cache manager cache_mgr [email protected] visible_hostname squid.example.local http_port 8080 ####### kerberos authentication auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s HTTP//usr/lib64/squid/.example.local auth_param negotiate children 10 auth_param negotiate keep_alive on ####### provide access via ldap for clients not authenticated via kerberos auth_param basic program /usr/lib64/squid/squid_ldap_auth -R \ -b "dc=example,dc=local" \ -D [email protected] \ -w "password" \ -f s AMAccount Name=%s \ -h dc01.example.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ##################################################################################################################### ####### ldap authorizations ######## ##################################################################################################################### # restricted proxy access logged external_acl_type internet_users %LOGIN /usr/lib64/squid/squid_ldap_group -R -K \ -b "dc=example,dc=local" \ -D [email protected] \ -w "password" \ -f "(&(objectclass=person)(s AMAccount Name=%v)(memberof=cn=Internet Users,ou=mygroups,dc=example,dc=local))" \ -h dc01.example.local # full proxy VIP Users external_acl_type vip_access %LOGIN /usr/lib64/squid/squid_ldap_group -R -K \ -b "dc=example,dc=local" \ -D [email protected] \ -w "password" \ -f "(&(objectclass=person)(s AMAccount Name=%v)(memberof=cn=VIPUSERS,ou=mygroups,dc=example,dc=local))" \ -h dc01.example.local # full proxy access logged external_acl_type internet_users_full_log %LOGIN /usr/lib64/squid/squid_ldap_group -R -K \ -b "dc=example,dc=local" \ -D [email protected] \ -w "password" \ -f "(&(objectclass=person)(s AMAccount Name=%v)(memberof=cn=Internet Users Full Log,ou=mygroups,dc=example,dc=local))" \ -h dc01.example.local ##################################################################################################################### ####### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED # format "acl, aclname, acltype, acltypename, activedirectorygroup" acl Restricted Access Log external internet_users Internet\ Users acl VIPS external vip_access VIPUSERS acl Full Access Log external internet_users_full_log Internet\ Users\ Full\ Log #Myaccesslists acl allowedlists url_regex -i "/squid/allowedlists.txt" acl blacklists url_regex -i "/squid/blacklists.txt" ####### squid defaults acl manager proto cache_object acl gehost src 127.0.0.1/32 ::1 acl to_gehost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http -- INSERT -- acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager gehost http_access deny manager http_access deny ! SSL_ports http_access allow gehost ####### enforce auth: order of rules is important for authorization levels no_cache deny allowedlists http_access deny ! wbinfo -u & wbinfo -g shows all users and groups in AD.

По сути, ад тот же лдап керберос с накрутками- Win2003, на виртуалке- сделал практически все как в статье, сделал коррективы для win2003 согласно статьи на вики сквида.- кейтабы создал без самбы, по примерам из других статей, причем удалось без ошибок и предупреждений (но на сервере в списке билетов (через kerbtray) нет моего)- kinit успешно- ff 3.6.4- поиск описания ошибки squid_kerb_auth: parse Neg Token Init failed with rc=101 не дал мне полезной информации- тестирую с самой win2003При запросе от браузера в логах:2010/06/27 | squid_kerb_auth: Got 'YR Tl RMTVNTUAABAAAAB4IIog AAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid (length: 59).2010/06/27 | squid_kerb_auth: parse Neg Token Init failed with rc=1012010/06/27 | squid_kerb_auth: received type 1 NTLM token Полагаю дело в шифровке/дешифровке учетных данных, но.....да, в 2003 отличие в строке поиска для ldap. Поэтому на фряхе пока обязательно ставить самбу для генерации тикета. Но вот опять вопрос: когда я делаю klist -v, я вижу только 1 сервис.