Index: external_acl/winbind_group/readme.txt =================================================================== RCS file: /cvsroot/squid/squid/helpers/external_acl/winbind_group/readme.txt,v retrieving revision 1.1.6.2 diff -u -p -r1.1.6.2 readme.txt --- external_acl/winbind_group/readme.txt 8 Sep 2002 21:46:09 -0000 1.1.6.2 +++ external_acl/winbind_group/readme.txt 27 Apr 2003 06:55:01 -0000 @@ -9,17 +9,22 @@ It reads from the standard input the dom and tries to match it against the groups membership of the specified username. -For Winbindd configuration, look the Squid winbind authenticators -instructions. +Before compile or configure it, look at the Squid winbind authenticators +instructions: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 + +When used in Windows 2000 domains, permissions compatible with pre-Windows +2000 servers are required. See the Q257988 Microsoft KB article for more +details. ============== Program Syntax ============== -wb_group [-d][-h] +wb_group [-c][-d][-h] --d enable debug mode +-c use case insensitive compare +-d enable debugging -h this message @@ -38,12 +43,22 @@ http_access deny all In the previous example all validated NT users member of ProxyUsers Global domain group are allowed to use the cache. -Groups with spaces in name must be quoted, for example "Domain Users" +Groups with spaces in name, for example "Domain Users", must be quoted and +the acl data ("Domain Users") must be placed into a separate file included +by specifying "/path/to/file". The previous example will be: -NOTE: the group name comparation is case sensitive, so group name -must be specified with same case as in the NT/2000 Domain. +acl ProxyUsers external NT_global_group "/usr/local/squid/etc/DomainUsers" -Refer to Squid documentation for the more details on squid.conf. +and the DomainUsers files will contain only the following line: + +"Domain Users" + + +NOTE: the standard group name comparation is case sensitive, so group name +must be specified with same case as in the NT/2000 Domain. +It's possible to enable not case sensitive group name comparation (-c), +but on on some non - English locales, the results can be unexpected. +For details see toupper man page, BUGS section. ======= @@ -62,6 +77,9 @@ Test that entering no details does not r Test that entering an invalid username and group results in an ERR message. Test that entering an valid username and group results in an OK message. +To check winbind functionality use wbinfo provided with Samba, +try -t, -g and -r options. + -- Serassio Guido -squidnt@serassio.it +guido.serassio@acmeconsulting.it Index: external_acl/winbind_group/wb_check_group.c =================================================================== RCS file: /cvsroot/squid/squid/helpers/external_acl/winbind_group/wb_check_group.c,v retrieving revision 1.2.2.8 diff -u -p -r1.2.2.8 wb_check_group.c --- external_acl/winbind_group/wb_check_group.c 12 Feb 2003 03:21:00 -0000 1.2.2.8 +++ external_acl/winbind_group/wb_check_group.c 27 Apr 2003 06:55:01 -0000 @@ -1,9 +1,49 @@ /* - * $Id$ + * winbind_group: lookup group membership in a Windows NT/2000 domain + * + * (C)2002,2003 Guido Serassio - Acme Consulting S.r.l. + * + * Authors: + * Guido Serassio + * Acme Consulting S.r.l., Italy + * + * With contributions from others mentioned in the change history section + * below. + * + * In part based on check_group by Rodrigo Albani de Campos and wbinfo + * from Samba Project. + * + * Dependencies: Samba 2.2.4 or later with Winbindd. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * History: + * + * Version 1.10 + * 26-04-2003 Guido Serassio + * Added option for case insensitive group name comparation. + * More debug info. + * Updated documentation. + * 21-03-2003 Nicolas Chaillot + * Segfault bug fix (Bugzilla #574) + * Version 1.0 + * 02-07-2002 Guido Serassio + * Using the main function from check_group and sections + * from wbinfo wrote winbind_group * * This is a helper for the external ACL interface for Squid Cache - * Copyright (C) 2002 Guido Serassio - * Based on previous work of Rodrigo Albani de Campos * * It reads from the standard input the domain username and a list of * groups and tries to match it against the groups membership of the @@ -12,22 +52,6 @@ * Returns `OK' if the user belongs to a group or `ERR' otherwise, as * described on http://devel.squid-cache.org/external_acl/config.html * - * Requires Samba 2.2.4 or later with Winbindd. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * */ #include "wbntlm.h" #include "util.h" @@ -45,6 +69,7 @@ char debug_enabled=0; char *myname; pid_t mypid; +int use_case_insensitive_compare=0; NSS_STATUS winbindd_request(int req_type, struct winbindd_request *request, @@ -96,6 +121,11 @@ strwordtok(char *buf, char **t) } +int strCaseCmp (const char *s1, const char *s2) +{ + while (*s1 && toupper (*s1) == toupper (*s2)) s1++, s2++; + return *s1 - *s2; +} /* Convert sid to string */ @@ -121,7 +151,6 @@ char * wbinfo_lookupsid(char * group, ch return group; } - /* Convert gid to sid */ char * wbinfo_gid_to_sid(char * sid, gid_t gid) @@ -152,7 +181,7 @@ static inline int strcmparray(const char { while (*array) { debug("Windows group: %s, Squid group: %s\n", str, *array); - if (strcmp(str, *array) == 0) + if ((use_case_insensitive_compare ? strCaseCmp(str, *array) : strcmp(str, *array)) == 0) return 0; array++; } @@ -180,8 +209,10 @@ Valid_Groups(char *UserName, const char result = winbindd_request(WINBINDD_GETGROUPS, &request, &response); - if (result != NSS_STATUS_SUCCESS) + if (result != NSS_STATUS_SUCCESS) { + warn("Warning: Can't enum user groups.\n"); return match; + } for (i = 0; i < response.data.num_entries; i++) { if ((wbinfo_gid_to_sid(sid, (int)((gid_t *)response.extra_data)[i])) != NULL) { @@ -204,7 +235,8 @@ Valid_Groups(char *UserName, const char static void usage(char *program) { - fprintf(stderr,"Usage: %s [-d] [-h]\n" + fprintf(stderr,"Usage: %s [-c] [-d] [-h]\n" + " -c use case insensitive compare\n" " -d enable debugging\n" " -h this message\n", program); @@ -216,8 +248,11 @@ process_options(int argc, char *argv[]) int opt; opterr = 0; - while (-1 != (opt = getopt(argc, argv, "dh"))) { + while (-1 != (opt = getopt(argc, argv, "cdh"))) { switch (opt) { + case 'c': + use_case_insensitive_compare = 1; + break; case 'd': debug_enabled = 1; break; @@ -265,6 +300,8 @@ main (int argc, char *argv[]) debug("External ACL winbindd group helper build " __DATE__ ", " __TIME__ " starting up...\n"); + if (use_case_insensitive_compare) + debug("Warning: running in case insensitive mode !!!\n"); /* Main Loop */ while (fgets (buf, BUFSIZE, stdin)) @@ -294,6 +331,11 @@ main (int argc, char *argv[]) for (n = 0; (group = strwordtok(NULL, &t)) != NULL; n++) groups[n] = group; groups[n] = NULL; + + if (NULL == username) { + warn("Invalid Request\n"); + goto error; + } if (Valid_Groups(username, groups)) { printf ("OK\n");