squid.conf nao esta liberando via grupos do ad

marlonfm
(usa Debian)

Enviado em 10/09/2015 - 06:46h

# Galera não consigo liberar via grupos do ad wbinfo -t retorna ok
# se alguém puder dar uma luz agradeço !

visible_hostname FW-NOVO

hierarchy_stoplist cgi-bin ?
cache_mem 512 MB
maximum_object_size_in_memory 10 KB
maximum_object_size 10 MB
minimum_object_size 1 KB
pipeline_prefetch on
detect_broken_pconn on
shutdown_lifetime 1 second
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
half_closed_clients off
ipcache_size 4096
fqdncache_size 8192
cache_swap_low 80
cache_swap_high 90
cache_store_log none
check_hostnames on
cache_access_log /var/log/squid3/access.log

acl sites_federal dstdomain gov.br
acl sites_governo dstdomain .ba.gov.br
http_access allow sites_governo
http_access allow sites_federal



auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

external_acl_type grupo_ad %LOGIN /usr/lib/squid3/wbinfo_group.pl

acl grp-decom external grupo_ad decom
acl grp-deplam external grupo_ad deplam
acl grp-liberados external grupo_ad liberados


acl negados dstdomain -i "/etc/squid3/negados.txt"
acl liberados dstdomain -i "/etc/squid3/liberados"
acl sitebloqueio url_regex -i "/etc/squid3/sitebloqueio.txt"
# acl streaming req_mime_type ^video/x-ms-asf

# acl videomusic urlpath_regex -i \.aif$ \.aifc$ \.aiff$ \.asf$ \.asx$ \.avi$ \.au$ \.m3u$ \.med$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpg$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.ra$ \.ram$ \.snd$ \.wma$ \.wmv$ \.wvx$ \.mid$ \.midi$ \.rmi$ \.flv$

# http_access deny videomusic
http_reply_access allow liberados
#http_reply_access deny streaming
http_reply_access deny sitebloqueio


acl Autenticados proxy_auth REQUIRED

http_access allow grp-decom
http_access allow grp-deplam
http_access allow grp-liberados
http_access allow liberados
http_access deny negados

http_access allow Autenticados !negados
dns_nameservers 10.73.0.7


acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl ip_liberado src 10.73.0.38 10.73.0.49 10.73.0.50 10.73.0.51 10.73.0.52 10.73.0.53 10.73.0.54 10.73.0.55 10.73.0.56 10.73.0.57 10.73.0.61 10.73.1.180 10.73.1.181 10.73.1.182 10.73.1.183 10.73.1.184 10.73.1.185 10.73.1.186
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 407 # solicitacao luiz
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow ip_liberado
http_access deny CONNECT !SSL_ports
http_access deny sitebloqueio
http_access allow localhost
acl libjava url_regex javadl-esd.sun.com/*
http_access allow libjava
acl libjava2 url_regex javadl-esd-secure.oracle.com
http_access allow libjava2
http_access deny all
http_port 3128 transparent


#err_html_text geti@
#deny_info proxy.html bloqueio

coredump_dir /var/spool/squid3

refresh_pattern -i \.jpg$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.gif$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.png$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.jpeg$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.bmp$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.tif$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.tiff$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.swf$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.html$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.htm$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.shtml$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.shtm$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.mov$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.avi$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.mpg$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.mpeg$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.qtm$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.flv$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.wav$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.au$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.mid$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.mp3$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.zip$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.gz$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.arj$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.lha$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.lzh$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.rar$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.tgz$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.tar$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.Z$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.sit$ 1440 100% 43200 reload-into-ims
refresh_pattern -i \.pdf$ 1440 100% 43200 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_effective_user proxy
cache_effective_group proxy

Davidand
(usa Debian)

Enviado em 10/09/2015 - 08:54h

Marlonfm,


No inicio do squid.conf , coloque as seguintes linhas

# Maquina Dominio

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=SEU-DOMINIO-AQUI
auth_param ntlm children 30
auth_param ntlm keep_alive on


# Maquina Fora do Dominio

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm SEU-DOMINIO-AQUI
auth_param basic credentialsttl 24 hours




E SE POSSIVEL POST A CONFIGURAÇÃO DO SEU WINBIND E SAMBA

marlonfm
(usa Debian)

Enviado em 10/09/2015 - 10:09h

[global]
netbios name = FW-NOVO
workgroup = BAHIATURSA
realm = BAHIATURSA.BA.GOV.BR
server string = Proxy Server
encrypt passwords = true
security = ADS
# password server = replica.bahiatursa.ba.gov.br
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = no
dns proxy = no
ldap ssl = no
local master = no
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
cups options = raw
# wins server = 10.73.0.7





##

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Davidand
(usa Debian)

Enviado em 10/09/2015 - 10:56h

O nsswitch.conf esta OK.

faça um backup e altere seu smb.conf para :

[global]
realm = SEU-DOMINIO-AQUI
workgroup = SEU-GRUPO
netbios name = NOME-DO-SERVER-PROXY
server string = %h server
security = ads
auth methods = winbind
allow trusted domains = no
idmap config SEU-GRUPO: default = yes
idmap config SEU-GRUPO: backend = rid
idmap config SEU-GRUPO: readonly = yes
idmap config SEU-GRUPO: range= 1000000-10000000
idmap alloc config: range = 1000000-10000000

idmap uid = 1000000-10000000
idmap gid = 1000000-10000000

template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes

load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = EM-CAIXA-ALTA-DIGITE O -NOME-COMPLETO-DA-MAQUINA-PROXY-COM-DOMINIO EX: PROXY.COM.NET -


Realize os seguintes comandos

adduser proxy winbindd_priv
chown root:winbindd_priv /run/samba/winbindd_privileged -R
chown root:winbindd_priv /var/lib/samba/winbindd_privileged -R

primeiro o winbind depois o samba



Verifique se o nome do grupo no AD esta exatamente igual ao do squid.conf , respeitando letras maiúsculas e minusculas ?

marlonfm
(usa Debian)

Enviado em 10/09/2015 - 11:34h

E AGORA ESTA OK ? NAO ENTENDI a parte q vc falou: primeiro o winbind depois o samba

marlon@fw-novo:/etc/squid3$ sudo adduser proxy winbindd_priv
O usuário 'proxy' já é um membro de 'winbindd_priv'.


MEU GRUPO no wbinfo ta minusculo mas no ad o grupo é Liberados.
marlon@fw-novo:/etc/squid3$ sudo wbinfo -g
liberados



[global]
realm = BAHIATURSA.BA.GOV.BR
workgroup = BAHIATURSA
netbios name = FW-NOVO
server string = %h server
security = ads
auth methods = winbind
allow trusted domains = no
idmap config Liberados: default = yes
idmap config Liberados: backend = rid
idmap config Liberados: readonly = yes
idmap config Liberados: range= 1000000-10000000
idmap alloc config: range = 1000000-10000000

idmap uid = 1000000-10000000
idmap gid = 1000000-10000000

template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes

load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = FW-NOVO.BAHIATURSA.BA.GOV.BR

Davidand
(usa Debian)

Enviado em 10/09/2015 - 15:55h

corrija os campos abaixo


idmap config BAHIATURSA: default = yes
idmap config BAHIATURSA: backend = rid
idmap config BAHIATURSA: readonly = yes
idmap config BAHIATURSA: range= 1000000-10000000


E post se autenticou por grupo.

marlonfm
(usa Debian)

Enviado em 10/09/2015 - 17:49h

diz ai um teste que eu possa fazer via comando? essas acl tao certinhas?

Davidand
(usa Debian)

Enviado em 11/09/2015 - 12:38h

Seu proxy é transparente ?

caso não seja, faça um backup de squid.conf e crie um novo com estas configurações.

Obs: Insira sua rede no campo em negrito


###############################################################################################
# AUTENTICACAO - MAQUINAS NO DOMINIO
###############################################################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=BAHIATURSA.BA.GOV.BR
auth_param ntlm children 30
auth_param ntlm keep_alive on



###############################################################################################
# AUTENTICACAO - MAQUINAS FORA DO DOMINIO
###############################################################################################
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm BAHIATURSA.BA.GOV.BR
auth_param basic credentialsttl 24 hours


###############################################################################################
# ACLS
###############################################################################################
external_acl_type grupo_ad ttl=60 children-startup=20 children-max=20 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl



###############################################################################################
acl rede_local src SUA-RDE-AQUI-EX-192.168.0.0





###############################################################################################
# PORTAS SSL
###############################################################################################
acl SSL_ports port 443 # SSL
acl SSL_ports port 10443 # Endian
acl SSL_ports port 10000 # Webmin
acl SSL_ports port 2381 # HP-UX
acl SSL_ports port 2301 # HP-UX
acl SSL_ports port 11371 # APT-KEY
acl SSL_ports port 993 # IMAP SSL
acl SSL_ports port 1723 # VPN
acl SSL_ports port 2631 # Conectividade Caixa
acl SSL_ports port 3456
acl SSL_ports port 5022
acl SSL_ports port 8017
acl SSL_ports port 8181
acl SSL_ports port 9339
acl SSL_ports port 33902
acl SSL_ports port 8443





###############################################################################################
# PORTAS LIBERADAS
###############################################################################################
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # FTP Dados
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 143 # IMAP
acl Safe_ports port 993 # IMAP SSL
acl Safe_ports port 465 # SMTP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 1723 # VPN
acl Safe_ports port 81 # HTTP
acl Safe_ports port 2631 # Conectividade Caixa
acl Safe_ports port 3456
acl Safe_ports port 5022
acl Safe_ports port 8017
acl Safe_ports port 8181
acl Safe_ports port 9339
acl Safe_ports port 33902
acl Safe_ports port 8443
acl Safe_ports port 25
acl Safe_ports port 53


###############################################################################################
acl CONNECT method CONNECT


###############################################################################################
#GRUPOS LIBERADOS
###############################################################################################

acl grp-liberados external grupo_ad liberados



###########################################################################################
#REGRAS
##########################################################################################


http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow rede_local grp-liberados





Lembre-se que o squid lê as informações no AD a cada 5 ou 10 minutos !!!

Post o resultado

marlonfm
(usa Debian)

Enviado em 14/09/2015 - 10:04h

Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
Server role: ROLE_DOMAIN_MEMBER
mano agora meu proxy funciona durante o dia e a noite para e fica pedindo autenticacao para os usuarios do ad dai tenho que restartar o samba pra funcionar o que pode ser?

Davidand
(usa Debian)

Enviado em 28/09/2015 - 14:09h

a hora do proxy esta de acordo com o AD ? caso não realize o comando ntpdate ip_do_ad , para sincronizar.
Como ficou a configuração do samba, e squid.conf ?