我在AD有4个用户:
tst001ak1
tst001ak2(从tst001ak1复制)
tst001jf1
tst001vs1
所有用户都是组SG_Blacklist的成员。
我已经build立了鱿鱼代理,应该允许除了youtube和facebook这个SG_Blacklist组的所有网站。 一切工作正常,只有一个用户 – tst001ak1。 阻止youtube和facebook,允许一切。 对于所有其他用户,我得到了鱿鱼的“访问被拒绝”的一切。
好吧,让我们testing用户authentication:
> root@proxy:/etc/squid3# /usr/lib/squid3/basic_ldap_auth -R -b "dc=test,dc=local" -D [email protected] -w Slaptazodis123 -f sAMAccountName=%s -h forest.test.local > tst001ak1 Slaptazodis1234 OK > tst001ak1 Slaptazodis123 ERR Success > tst001ak2 Slaptazodis1234 OK > tst001ak2 Slaptazodis123 ERR Success 确定这个function正确authentication两个用户(都有密码Slaptazodis1234)
团体:
> root@proxy:/etc/squid3# /usr/lib/squid3/ext_ldap_group_acl -R -b "dc=test,dc=local" -D [email protected] -w Slaptazodis123 -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=SecurityGroups,ou=Kaunas,ou=Sites,dc=test,dc=local))" -h forest.test.local > tst001ak1 SG_Blacklist OK > tst001ak1 SG_Whitelist ERR > tst001ak2 SG_Blacklist OK > tst001ak2 SG_Whitelist ERR
似乎很好。
完整的鱿鱼conf文件:
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "dc=test,dc=local" -D [email protected] -w Slaptazodis123 -f sAMAccountName=%s -h forest.test.local auth_param basic children 5 auth_param basic realm Welcome to Proxy auth_param basic credentialsttl 2 hours external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -b "dc=test,dc=local" -D [email protected] -w Slaptazodis123 -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=SecurityGroups,ou=Kaunas,ou=Sites,dc=test,dc=local))" -h forest.test.local acl auth proxy_auth REQUIRED acl Blacklist external memberof SG_Blacklist acl Whitelist external memberof SG_Whitelist acl Full external memberof "/etc/squid3/full.txt" acl wsites dstdomain "/etc/squid3/wsites.txt" acl bsites dstdomain "/etc/squid3/bsites.txt" acl priority dstdomain "/etc/squid3/priority.txt" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports #sites allowed for everyone http_access allow priority http_access deny !auth http_access allow Full !wsites http_access allow Whitelist !bsites http_access allow Blacklist !bsites http_access deny all http_port 3128 access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid3
尝试了我所能想到的一切。 尝试以不同的方式更改squid.conf文件。
尝试在AD中创build新用户,从工作的用户复制。
访问ADpipe理中心,并添加几乎所有读取属性的滴答。
创build新的[email protected]用户([email protected])
删除鱿鱼服务器,并从头开始创build(3次)。
debugging鱿鱼,读取数以千计的线,但仍然不明白是什么问题。
很多其他的东西,我现在不记得了。
1501157073.419 0 10.103.22.4 TCP_DENIED/403 3686 GET http://api.bing.com/qsml.aspx? [email protected] HIER_NONE/- text/html 1501157073.511 0 10.103.22.4 TCP_DENIED/403 3687 GET http://api.bing.com/qsml.aspx? [email protected] HIER_NONE/- text/html 1501157073.627 0 10.103.22.4 TCP_DENIED/403 3688 GET http://api.bing.com/qsml.aspx? [email protected] HIER_NONE/- text/html 1501157073.704 0 10.103.22.4 TCP_DENIED/403 3689 GET http://api.bing.com/qsml.aspx? [email protected] HIER_NONE/- text/html 1501157073.744 0 10.103.22.4 TCP_DENIED/403 3690 GET http://api.bing.com/qsml.aspx? [email protected] HIER_NONE/- text/html 1501157073.798 0 10.103.22.4 TCP_DENIED/403 3691 GET http://api.bing.com/qsml.aspx? [email protected] HIER_NONE/- text/html 1501157073.970 0 10.103.22.4 TCP_DENIED/403 3586 GET http://google.com/ [email protected] HIER_NONE/- text/html 1501157073.980 0 10.103.22.4 TCP_DENIED/403 3727 GET http://www.squid-cache.org/Artwork/SN.png [email protected] HIER_NONE/- text/html
negotiate_kerberos_pac.cc(368): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: INFO: Got PAC data of lengh 480 negotiate_kerberos_pac.cc(186): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: INFO: Found 2 rids negotiate_kerberos_pac.cc(193): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: Info: Got rid: 1107 negotiate_kerberos_pac.cc(193): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(255): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1970744413-2672878646-2165510742 negotiate_kerberos_pac.cc(277): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(325): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-18-1 negotiate_kerberos_pac.cc(448): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: INFO: Read 476 of 480 bytes negotiate_kerberos_auth.cc(426): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAXSx3dTbkUJ9WEhOBUwQAAA== group=AQUAAAAAAAUVAAAAXSx3dTbkUJ9WEhOBAQIAAA== group=AQEAAAAAABIBAAAA negotiate_kerberos_auth.cc(431): pid=2778 :2017/07/27 15:11:58| negotiate_kerberos_auth: DEBUG: AF oYG2MIGzoAMKAQChCwYJKoZIhvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuZJS/UnCaLjDtwNQK/BgUGe+MRw5up5QJMBWn/v0sooQPNvAjkIXYVxuoNM8oTC2kGrD7unOqm2M8TGlbMY2wbFjwhyiSb4KN6NHot27OFWULpTSbBWF/CzBNsf+GfSLddcEkZ8yHnvXae+f72yI= [email protected]
1501157268.904 75 10.103.22.4 TCP_MISS/302 619 GET http://google.com/ tst001ak1 HIER_DIRECT/216.58.201.174 text/html 1501157313.305 149 10.103.22.4 TCP_MISS/200 788 GET http://api.bing.com/qsml.aspx? tst001ak1 HIER_DIRECT/13.107.5.80 text/html 1501157313.492 0 10.103.22.4 TCP_DENIED/403 3687 GET http://facebook.com/ tst001ak1 HIER_NONE/- text/html 1501157316.489 103 10.103.22.4 TCP_MISS_ABORTED/000 0 GET http://api.bing.com/qsml.aspx? tst001ak1 HIER_DIRECT/13.107.5.80 - 1501157316.510 0 10.103.22.4 TCP_DENIED/403 3794 GET http://youtube.com/ tst001ak1 HIER_NONE/- text/html
negotiate_kerberos_pac.cc(368): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: INFO: Got PAC data of lengh 520 negotiate_kerberos_pac.cc(186): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: INFO: Found 2 rids negotiate_kerberos_pac.cc(193): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: Info: Got rid: 1107 negotiate_kerberos_pac.cc(193): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: Info: Got rid: 512 negotiate_kerberos_pac.cc(255): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1970744413-2672878646-2165510742 negotiate_kerberos_pac.cc(277): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(325): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-18-1 negotiate_kerberos_pac.cc(448): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: INFO: Read 480 of 520 bytes negotiate_kerberos_auth.cc(426): pid=2778 :2017/07/27 15:09:54| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAXSx3dTbkUJ9WEhOBUwQAAA== group=AQUAAAAAAAUVAAAAXSx3dTbkUJ9WEhOBAAIAAA== group=AQEAAAAAABIBAAAA negotiate_kerberos_auth.cc(431): pid=2778 :2017/07/27 15:10:55| negotiate_kerberos_auth: DEBUG: AF oYG2MIGzoAMKAQChCwYJKoZIhvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARumhMB/ZuwMeLgbxtxm6xJKbQqiYgw87IPDyOG8vE4SaSEA012z99K06RmWeiHBsF1zbJhZYEZZg6QQspaKvjc05B6+DbVJ0XhkttPf1dhulZPQ/WmTeEg/uZ0saiqB0P3ecriPZZfr27/GwNgmMI= [email protected]