与Windows AD实现透明验证的squid代理服务器

ahocat

必须指向Windows域中DC的DNS
另外，smb.conf中加上wins server，域中也要启用wins服务，DC要注册到wins。

[ 本帖最后由 ahocat 于 2009-6-28 09:44 编辑 ]

xjjjk

原帖由 ahocat 于 2009-6-28 09:34 发表
必须指向Windows域中DC的DNS
另外，smb.conf中加上wins server，域中也要启用wins服务，DC要注册到wins。

smb。conf中已经添加wins服务器的地址了，ping fqdn dc是没有问题的可以解析；
wbinfo -t也没有问题；

ahocat

光能ping到DC不一定正确，加入域必须要能解析到你这个cetr.net域的SRV记录

xjjjk

原帖由 ahocat 于 2009-6-29 08:43 发表
光能ping到DC不一定正确，加入域必须要能解析到你这个cetr.net域的SRV记录

cache:/var/log/samba# host cetr.net
cetr.net             A       10.1.2.8
cetr.net             A       10.5.2.1
cetr.net             A       10.1.2.12
cetr.net             A       10.20.2.1
cetr.net             A       10.1.50.2
是可以正确解析srv记录的；

并且我在windows客户端通过nslookup也可以正确解析cetr.net的srv记录的；

下面是我的squid服务器的相关日志
log.smbd
[2009/06/29 00:10:55,  0] libads/kerberos.c:ads_kinit_password(356)
  kerberos_kinit_password CACHE$@CETR.NET failed: Cannot resolve network address for KDC in requested realm
[2009/06/29 00:10:55,  0] printing/nt_printing.c:nt_printing_init(664)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

***************************************************************************
log.cetr.net
[2009/06/27 00:17:01,  1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(62
4)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED recei
ved from remote machine testad.cetr.net pipe \lsarpc fnum 0x4005!
[2009/06/27 00:17:01,  0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_intern
al(2367)
  cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT cod
e 0x00000005
[2009/06/27 10:35:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
  ads_krb5_mk_req: krb5_get_credentials failed for mkfserver$@CETR.NET (Reques
ted effective lifetime is negative or too short)

ahocat

这里只看到DNS的主机(A)记录。
检查一下DNS服务器，cetr.net域下面有没有_msdcs这样的目录，这个目录下面应该包含有你域中DC，ldap,kerboros，site等很多信息

[ 本帖最后由 ahocat 于 2009-6-29 13:44 编辑 ]

xjjjk

原帖由 ahocat 于 2009-6-29 13:43 发表
这里只看到DNS的主机(A)记录。
检查一下DNS服务器，cetr.net域下面有没有_msdcs这样的目录，这个目录下面应该包含有你域中DC，ldap,kerboros，site等很多信息

dns服务器的记录都正常，可以加入域了，krb5.conf中的配置有点问题；
目前可以正常加入到域了，也可以通过wbinfo -t wbinfo -u看到域的信息了；
目前启动squid就出现以下错误；
Jun 29 13:50:02 cache squid[1954]: Squid Parent: child process 1957 started
Jun 29 13:50:03 cache squid[1957]: The wbinfo_group_helper helpers are crashing   too rapidly, need help!
Jun 29 13:50:03 cache squid[1954]: Squid Parent: child process 1957 exited due to signal 6un 29 13:50:06 cache squid[1954]: Squid Parent: child process 1984 started
Jun 29 13:50:06 cache squid[1984]: The wbinfo_group_helper helpers are crashing too rapidly, need help!
Jun 29 13:50:06 cache squid[1954]: Squid Parent: child process 1984 exited due to signal 6
Jun 29 13:50:09 cache squid[1954]: Squid Parent: child process 2009 started
Jun 29 13:50:10 cache squid[2009]: The wbinfo_group_helper helpers are crashing   too rapidly, need help!
Jun 29 13:50:10 cache squid[1954]: Squid Parent: child process 2009 exited due to signal 6
Jun 29 13:50:13 cache squid[1954]: Squid Parent: child process 2032 started
Jun 29 13:50:13 cache squid[2032]: The wbinfo_group_helper helpers are crashing  too rapidly, need help!
Jun 29 13:50:13 cache squid[1954]: Squid Parent: child process 2032 exited due to signal 6
Jun 29 13:50:16 cache squid[1954]: Squid Parent: child process 2055 started
Jun 29 13:50:17 cache squid[2055]: The wbinfo_group_helper helpers are crashing  too rapidly, need help!
Jun 29 13:50:17 cache squid[1954]: Squid Parent: child process 2055 exited due to signal 6
Jun 29 13:50:17 cache squid[1954]: Exiting due to repeated, frequent failures

ahocat

看一下log.winbindd和cache.log

xjjjk

原帖由 ahocat 于 2009-6-29 15:11 发表
看一下log.winbindd和cache.log

log.winbindd
***************************************************************************
[2009/06/29 13:29:09,  0] winbindd/winbindd.c:main(1127)
  winbindd version 3.2.5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/06/29 13:29:09,  0] winbindd/winbindd_cache.c:initialize_winbindd_cache(23
74)
  initialize_winbindd_cache: clearing cache and re-creating with version number
1
[2009/06/29 13:30:01,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
  ads_krb5_mk_req: krb5_get_credentials failed for markorcw$@MARKORYY (Cannot fi
nd KDC for requested realm)
[2009/06/29 13:30:01,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC fo
r requested realm
[2009/06/29 13:46:20,  0] winbindd/winbindd.c:main(1127)
  winbindd version 3.2.5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/06/29 13:46:20,  0] winbindd/winbindd_cache.c:initialize_winbindd_cache(23
74)
  initialize_winbindd_cache: clearing cache and re-creating with version number
1

cache.log  应该是缺少perl相关的软件包，谢谢ahocat ，安装了perl后问题解决；
***************************************************************************
Can't locate Getopt/Std.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/
perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/lib/squid/wbinfo_group.pl l
ine 62.
BEGIN failed--compilation aborted at /usr/lib/squid/wbinfo_group.pl line 62.
Can't locate Getopt/Std.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/
perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/lib/squid/wbinfo_group.pl l
ine 62.
BEGIN failed--compilation aborted at /usr/lib/squid/wbinfo_group.pl line 62.
Can't locate Getopt/Std.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/
perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/lib/squid/wbinfo_group.pl l
ine 62.
BEGIN failed--compilation aborted at /usr/lib/squid/wbinfo_group.pl line 62.
Can't locate Getopt/Std.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/
perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/lib/squid/wbinfo_group.pl l
ine 62.
BEGIN failed--compilation aborted at /usr/lib/squid/wbinfo_group.pl line 62.
Can't locate Getopt/Std.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/
perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/lib/squid/wbinfo_group.pl l
ine 62.
BEGIN failed--compilation aborted at /usr/lib/squid/wbinfo_group.pl line 62.
cache:/var/log/squid# tail -f cache.log
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
        total space in arena:    2280 KB
        Ordinary blocks:         2271 KB      5 blks
        Small blocks:               0 KB      0 blks
        Holding blocks:           280 KB      1 blks
        Free Small blocks:          0 KB
        Free Ordinary blocks:       8 KB
        Total in use:            2551 KB 100%
        Total free:                 8 KB 0%

[ 本帖最后由 xjjjk 于 2009-6-29 15:58 编辑 ]

xjjjk

用户分组认证权限不同，但是新添加的用户要通过认证，必须要重启squid服务才能通过认证，不知道大家有没有遇到过这样的问题，测试过不重启squid服务，重启samba和winbind好像也不行；

aleng

一台win域控+一台winserver上装isa2006实现起来简单，问题少。