ERROR: Negotiate Authentication validating user
ERROR: Negotiate Authentication validating user
но по
# Negotiate Kerberos and NTLM authentication
и
# Only NTLM authentication
авторизация выдает ошибку
ERROR: Negotiate Authentication validating user. Error returned ‘BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL’
Авторизация по Basic проходит нормально и работает.
проверялось так, по очередно отключал параметры
# Negotiate Kerberos and NTLM authentication
и
# Only NTLM authentication
- Алексей Максимов
- Администратор сайта
- Сообщения: 572
- Зарегистрирован: 14 сен 2012 06:50
- Откуда: г.Сыктывкар
- Контактная информация:
Re: Авторизация
Покажите, что творится в логе cache.log при применении конфигурации squid:
Код: Выделить всё
sudo squid3 -k reconfigure
Код: Выделить всё
sudo wbinfo -a DOMAIN\\user
Re: ERROR: Negotiate Authentication validating user
Код: Выделить всё
2015/02/20 14:19:01| Reconfiguring Squid Cache (version 3.3.8)...
2015/02/20 14:19:01| Closing HTTP port 192.168.0.169:3128
2015/02/20 14:19:01| Closing Pinger socket on FD 21
2015/02/20 14:19:01| Logfile: closing log daemon:/var/log/squid3/access.log
2015/02/20 14:19:01| Logfile Daemon: closing log daemon:/var/log/squid3/access.log
2015/02/20 14:19:01| Startup: Initializing Authentication Schemes ...
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'basic'
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'digest'
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'negotiate'
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'ntlm'
2015/02/20 14:19:01| Startup: Initialized Authentication.
2015/02/20 14:19:01| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2015/02/20 14:19:01| Logfile: opening log daemon:/var/log/squid3/access.log
2015/02/20 14:19:01| Logfile Daemon: opening log /var/log/squid3/access.log
2015/02/20 14:19:01| Squid plugin modules loaded: 0
2015/02/20 14:19:01| Adaptation support is off.
2015/02/20 14:19:01| Store logging disabled
2015/02/20 14:19:01| DNS Socket created at [::], FD 7
2015/02/20 14:19:01| DNS Socket created at 0.0.0.0, FD 8
2015/02/20 14:19:01| Adding nameserver 192.168.0.43 from /etc/resolv.conf
2015/02/20 14:19:01| Adding nameserver 192.168.0.32 from /etc/resolv.conf
2015/02/20 14:19:01| Adding domain alea.local from /etc/resolv.conf
2015/02/20 14:19:01| Adding domain alea.local from /etc/resolv.conf
2015/02/20 14:19:01| helperOpenServers: Starting 0/20 'basic_ldap_auth' processes
2015/02/20 14:19:01| helperOpenServers: No 'basic_ldap_auth' processes needed.
2015/02/20 14:19:01| helperOpenServers: Starting 5/5 'ext_ldap_group_acl' processes
2015/02/20 14:19:01| HTCP Disabled.
2015/02/20 14:19:01| Pinger socket opened on FD 21
2015/02/20 14:19:01| pinger: Initialising ICMP pinger ...
2015/02/20 14:19:01| pinger: ICMP socket opened.
2015/02/20 14:19:01| pinger: ICMPv6 socket opened
2015/02/20 14:19:01| Loaded Icons.
2015/02/20 14:19:01| Accepting HTTP Socket connections at local=192.168.0.169:3128 remote=[::] FD 19 flags=9
2015/02/20 14:19:11| Pinger exiting.
Код: Выделить всё
Enter ALEA\nbaydakov's password:
plaintext password authentication succeeded
Enter ALEA\nbaydakov's password:
challenge/response password authentication succeeded
Re: ERROR: Negotiate Authentication validating user
Код: Выделить всё
sudo /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
ALEA\nbaydakov *****
BH SPNEGO request invalid prefix
- Алексей Максимов
- Администратор сайта
- Сообщения: 572
- Зарегистрирован: 14 сен 2012 06:50
- Откуда: г.Сыктывкар
- Контактная информация:
Re: ERROR: Negotiate Authentication validating user
Ещё покажите вывод
Код: Выделить всё
sudo squid3 -k parse
Re: ERROR: Negotiate Authentication validating user
Код: Выделить всё
# Negotiate Kerberos and NTLM authentication
#auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -s "HTTP/proxy.alea.local@ALEA.LOCAL" --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
#auth_param negotiate children 200 startup=50 idle=10
#auth_param negotiate keep_alive off
# Only NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off
# Basic authentication via ldap for clients not authenticated via kerberos/ntlm
#auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -P -R -b "CN=Users,dc=alea,dc=local" -D "proxyadmin@alea.local" -W /etc/squid3/ldappass.conf -f "sAMAccountName=%s" -h dc.alea.local dc2.alea.local
#auth_param basic children 20
#auth_param basic realm "proxy.alea.local - SQUID Proxy Server Basic authentication!"
#auth_param basic credentialsttl 2 hours
Код: Выделить всё
debug_options=ALL
Код: Выделить всё
sudo squid3 -k parse
Код: Выделить всё
2015/02/20 17:13:31| Startup: Initializing Authentication Schemes ...
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'basic'
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'digest'
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'negotiate'
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'ntlm'
2015/02/20 17:13:31| Startup: Initialized Authentication.
2015/02/20 17:13:31| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2015/02/20 17:13:31| Processing: debug_options=ALL
2015/02/20 17:13:31| /etc/squid3/squid.conf:6 unrecognized: 'debug_options=ALL'
2015/02/20 17:13:31| Processing: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
2015/02/20 17:13:31| Processing: auth_param ntlm children 100 startup=20 idle=5
2015/02/20 17:13:31| Processing: auth_param ntlm keep_alive off
2015/02/20 17:13:31| Processing: external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -S -b "CN=Users,dc=alea,dc=local" -D "proxyadmin@alea.local" -W /etc/squid3/ldappass.conf -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=squid,OU=Группы безопасности,DC=alea,DC=local))" -h dc.alea.local dc2.alea.local
2015/02/20 17:13:31| Processing: acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
2015/02/20 17:13:31| Processing: acl auth proxy_auth REQUIRED
2015/02/20 17:13:31| Processing: acl BlockedUsers external memberof -i "/etc/squid3/grps_blocked.conf"
2015/02/20 17:13:31| Processing: acl WhiteListUsers external memberof -i "/etc/squid3/grps_whitelist.conf"
2015/02/20 17:13:31| Processing: acl BlackListUsers external memberof -i "/etc/squid3/grps_blacklist.conf"
2015/02/20 17:13:31| Processing: acl FullAccessUsers external memberof -i "/etc/squid3/grps_fullaccess.conf"
2015/02/20 17:13:31| Processing: acl AnonymousAccessUsers external memberof -i "/etc/squid3/grps_fullanonym.conf"
2015/02/20 17:13:31| Processing: acl WhiteList dstdomain -i "/etc/squid3/dom_whitelist.conf"
2015/02/20 17:13:31| Processing: acl BlackList dstdomain -i "/etc/squid3/dom_blacklist.conf"
2015/02/20 17:13:31| Processing: acl AllAccess dstdomain -i "/etc/squid3/dom_allaccess.conf"
2015/02/20 17:13:31| Processing: acl WhiteListURL url_regex -i "/etc/squid3/url_whitelist.conf"
2015/02/20 17:13:31| Processing: acl BlackListURL url_regex -i "/etc/squid3/url_blacklist.conf"
2015/02/20 17:13:31| Processing: acl WUServers src "/etc/squid3/computers_wsus.conf"
2015/02/20 17:13:31| Processing: acl WUSites dstdomain -i "/etc/squid3/dom_wsus.conf"
2015/02/20 17:13:31| Processing: acl SSL_ports port 443
2015/02/20 17:13:31| Processing: acl Safe_ports port 80 # http
2015/02/20 17:13:31| Processing: acl Safe_ports port 21 # ftp
2015/02/20 17:13:31| Processing: acl Safe_ports port 443 # https
2015/02/20 17:13:31| Processing: acl Safe_ports port 70 # gopher
2015/02/20 17:13:31| Processing: acl Safe_ports port 210 # wais
2015/02/20 17:13:31| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2015/02/20 17:13:31| Processing: acl Safe_ports port 280 # http-mgmt
2015/02/20 17:13:31| Processing: acl Safe_ports port 488 # gss-http
2015/02/20 17:13:31| Processing: acl Safe_ports port 591 # filemaker
2015/02/20 17:13:31| Processing: acl Safe_ports port 777 # multiling http
2015/02/20 17:13:31| Processing: acl CONNECT method CONNECT
2015/02/20 17:13:31| Processing: http_access deny !Safe_ports
2015/02/20 17:13:31| Processing: http_access deny CONNECT !SSL_ports
2015/02/20 17:13:31| Processing: http_access allow localhost manager
2015/02/20 17:13:31| Processing: http_access allow localnet manager
2015/02/20 17:13:31| Processing: http_access deny manager
2015/02/20 17:13:31| Processing: http_access deny to_localhost
2015/02/20 17:13:31| Processing: http_access allow WUSites WUServers
2015/02/20 17:13:31| Processing: http_access allow AllAccess
2015/02/20 17:13:31| Processing: http_access deny !auth
2015/02/20 17:13:31| Processing: http_access deny BlockedUsers all
2015/02/20 17:13:31| Processing: http_access allow WhiteList
2015/02/20 17:13:31| Processing: http_access allow WhiteListURL
2015/02/20 17:13:31| Processing: http_access deny WhiteListUsers all
2015/02/20 17:13:31| Processing: http_access allow AnonymousAccessUsers all
2015/02/20 17:13:31| Processing: http_access allow FullAccessUsers all
2015/02/20 17:13:31| Processing: http_access deny BlackList
2015/02/20 17:13:31| Processing: http_access deny BlackListURL
2015/02/20 17:13:31| Processing: http_access allow BlackListUsers all
2015/02/20 17:13:31| Processing: http_access deny all
2015/02/20 17:13:31| Processing: http_port 192.168.0.169:3128
2015/02/20 17:13:31| Processing: hierarchy_stoplist cgi-bin ?
2015/02/20 17:13:31| Processing: forward_max_tries 25
2015/02/20 17:13:31| Processing: cache_mem 1024 MB
2015/02/20 17:13:31| Processing: maximum_object_size_in_memory 1024 KB
2015/02/20 17:13:31| Processing: memory_replacement_policy heap GDSF
2015/02/20 17:13:31| Processing: cache_replacement_policy heap LFUDA
2015/02/20 17:13:31| Processing: cache_dir ufs /var/spool/squid3 7000 16 256
2015/02/20 17:13:31| Processing: maximum_object_size 32768 KB
2015/02/20 17:13:31| Processing: access_log daemon:/var/log/squid3/access.log squid !AnonymousAccessUsers
2015/02/20 17:13:31| Processing: cache_log /var/log/squid3/cache.log
2015/02/20 17:13:31| Processing: coredump_dir /var/spool/squid3
2015/02/20 17:13:31| Processing: refresh_pattern ^ftp: 1440 20% 10080
2015/02/20 17:13:31| Processing: refresh_pattern ^gopher: 1440 0% 1440
2015/02/20 17:13:31| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2015/02/20 17:13:31| Processing: refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
2015/02/20 17:13:31| Processing: refresh_pattern . 0 20% 4320
2015/02/20 17:13:31| Processing: cache_mgr nbaydakov
2015/02/20 17:13:31| Processing: httpd_suppress_version_string on
2015/02/20 17:13:31| Processing: visible_hostname F00-NBK-001
2015/02/20 17:13:31| Processing: error_directory /usr/share/squid3/errors/ru
2015/02/20 17:13:31| Processing: error_default_language ru
2015/02/20 17:13:31| Processing: dns_v4_first on
2015/02/20 17:13:31| Processing: forwarded_for delete
2015/02/20 17:13:31| Processing: cachemgr_passwd ******all
4. сделал
Код: Выделить всё
sudo squid3 -k reconfigure
У пользователя постоянно запрашивает пароль, а в кеше (акс=цессе)
Код: Выделить всё
ERROR: Negotiate Authentication validating user. Error returned ‘BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL’
- Алексей Максимов
- Администратор сайта
- Сообщения: 572
- Зарегистрирован: 14 сен 2012 06:50
- Откуда: г.Сыктывкар
- Контактная информация:
Re: ERROR: Negotiate Authentication validating user
Манипуляции с winbindd_privileged описанные в заметке выполнялись? Без этого у меня NTLM-аутентификация из Squid не работала (по крайней мере именно на тех версиях Samba и Squid, о которых шла речь в статьях)
Re: ERROR: Negotiate Authentication validating user
PROXY.keytab может влиять на это? так как при создании его у меня первые три строки не выши так как у Вас, но все остальное все совпало.
Делал в Powershell на Win2012R2
небыло такого.
Код: Выделить всё
Targeting domain controller: KOM-AD01-DC01.holding.com
Successfully mapped HTTP/kom-ad01-squid.holding.com to s-KOM-SquidKerb.
Password successfully set!
Re: ERROR: Negotiate Authentication validating user
постоянный запрос пароля и ошибка
Код: Выделить всё
ERROR: Negotiate Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'
При получении URL http://www.msn.com/ru-ru/? произошла следующая ошибка
Доступ к кэшу запрещён.
Извините, Вы не можете запросить http://www.msn.com/ru-ru/? из этого кэша до тех пор, пока не пройдёте аутентификацию.
Please contact the cache administrator if you have difficulties authenticating yourself.
Re: ERROR: Negotiate Authentication validating user
не помогло((