RE: [squid-users] Winbind and Windows groups

From: Simon Bryan <sbryan@dont-contact.us>
Date: Tue, 18 Feb 2003 08:19:36 +1100

yes, I have the following:

auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 20
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minute

auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11
auth_param basic children 5
auth_param basic realm Poxy server at OLMC
auth_param basic credentialsttl 1 hour

and from below:
authenticate_ttl 1 hour
acl password proxy_auth REQUIRED
http_access deny all !password

and the logs show the username as domain\username

I take it that this should work then?

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Tue, 18. February 2003 2:06 AM
> To: sbryan@olmc.nsw.edu.au
> Cc: Squid-Users
> Subject: Re: [squid-users] Winbind and Windows groups
>
>
> Have you also configured authentication? (auth_param ...)
>
> The group helpers are only responsible for verifying group membership,
> and relies on the authentication helper(s) to first verify the username
> and password.
>
> Regards
> Henrik
>
> mån 2003-02-17 klockan 06.11 skrev Simon Bryan:
> > Hi all,
> > I have sorted out most of my winbind problems at least at Samba
> - command
> > line level. However I still cannot get Squid to recognise the
> groups. The
> > relevant kines from my Squid.conf file are below.
> > Note that wbinfo -u returns the users, wbinfo -g returns the
> groups from the
> > domain, if I feed a correct domain+username groupname to
> wb_group it returns
> > 'OK' or 'ERR' as the case may be.
> > Is there anything wrong in my conf file that is obvious, or can I not do
> > this yet?
> >
> > Using SQUID snapshot from 13th Feb 03
> >
> >
> ******************************************************************
> *********
> > external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group
> > acl winauth external wb_group wwwusers
> > acl staff external wb_group Teachers
> > acl students external wb_group Students
> > authenticate_ttl 1 hour
> > authenticate_ip_ttl 300 seconds
> >
> >
> > #a list of webmail domains from Dansguardian
> > acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains"
> >
> > #some regex expressions that used to work OK with IP based acls
> > acl webmail2 urlpath_regex "/usr/local/squid/acls/webmailregex"
> >
> > acl password proxy_auth REQUIRED
> >
> > #using this as a test, if I make it a http_access deny TEST all it works
> > acl TEST dstdomain .passport.com
> >
> >
> > http_access deny redworm
> > http_access deny FTPDownloads PUT
> > http_access deny banned-url
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny CONNECT !SSL_ports
> > http_access allow CONNECT SSL_ports
> > http_access deny !Safe_ports
> > http_access deny to_localhost
> > http_access deny all !password
> > http_access deny students TEST
> > http_access deny students webmail webmail2
> > http_access allow local_servers
> > http_access allow FTPDownloads
> > http_access allow our_networks
> > http_access allow olmcwarnings
> >
> > #And finally deny all other access to this proxy
> > http_access allow all
> >
> ******************************************************************
> **********
> > **************
> > _________________________________________
> > Simon Bryan
> > IT Manager
> > OLMC Parramata
> > ICQ#: 137562751
> > _________________________________________
> --
> Henrik Nordstrom <hno@squid-cache.org>
> MARA Systems AB, Sweden
Received on Mon Feb 17 2003 - 14:19:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:26 MST