RE: [squid-users] Winbind and Windows groups

The following is in the SQUID FAQ so I thought I would try it anyway (I
currently have Samba 2.2.5), however in the Squid directories there is no
winbindd_nss.h file and in the 'helper/external_acl' directory there is no
wb_group directory

In the snapshot from 20030123, the winbindd_nss file exists in the first two
directories but the wb_group directory is also not there.

Have there been changes in this area and if so woudl they be effecting my
problem? Have re-built with the 20030123 snapshot but there is no change.

"Squid-2.5.STABLE1 works with Samba 2.2.4 or 2.2.5. Samba With Samba 2.2.6,
the winbindd interface changed and Squid 2.5.STABLE1 will not work as
distributed. Replacing the winbindd_nss.h file in Squid's
helpers/basic_auth/winbind, helpers/ntlm_auth/winbind and
helpers/external_acl/wb_group/ directories with the version in Samba's
source/nsswitch drectory is needed for the helpers to work properly."

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Tue, 18. February 2003 9:07 AM
> To: sbryan@olmc.nsw.edu.au
> Subject: Re: [squid-users] Winbind and Windows groups
>
>
> Looks fine from what I can tell, and should work..
>
> But your http_access rules is a bit complex I think, but no
> immediately obvious errors except for the "allow CONNECT ..." thing
> which may override later filters if using https://..
>
> Regards
> Henrik
>
>
>
> On Monday 17 February 2003 22.19, you wrote:
> > yes, I have the following:
> >
> > auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
> > auth_param ntlm children 20
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minute
> >
> > auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U
> > 10.192.0.11 auth_param basic children 5
> > auth_param basic realm Poxy server at OLMC
> > auth_param basic credentialsttl 1 hour
> >
> > and from below:
> > authenticate_ttl 1 hour
> > acl password proxy_auth REQUIRED
> > http_access deny all !password
> >
> > and the logs show the username as domain\username
> >
> > I take it that this should work then?
> >
> > > -----Original Message-----
> > > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > Sent: Tue, 18. February 2003 2:06 AM
> > > To: sbryan@olmc.nsw.edu.au
> > > Cc: Squid-Users
> > > Subject: Re: [squid-users] Winbind and Windows groups
> > >
> > >
> > > Have you also configured authentication? (auth_param ...)
> > >
> > > The group helpers are only responsible for verifying group
> > > membership, and relies on the authentication helper(s) to first
> > > verify the username and password.
> > >
> > > Regards
> > > Henrik
> > >
> > > mån 2003-02-17 klockan 06.11 skrev Simon Bryan:
> > > > Hi all,
> > > > I have sorted out most of my winbind problems at least at Samba
> > >
> > > - command
> > >
> > > > line level. However I still cannot get Squid to recognise the
> > >
> > > groups. The
> > >
> > > > relevant kines from my Squid.conf file are below.
> > > > Note that wbinfo -u returns the users, wbinfo -g returns the
> > >
> > > groups from the
> > >
> > > > domain, if I feed a correct domain+username groupname to
> > >
> > > wb_group it returns
> > >
> > > > 'OK' or 'ERR' as the case may be.
> > > > Is there anything wrong in my conf file that is obvious, or can
> > > > I not do this yet?
> > > >
> > > > Using SQUID snapshot from 13th Feb 03
> > >
> > > *****************************************************************
> > >* *********
> > >
> > > > external_acl_type wb_group %LOGIN
> > > > /usr/local/squid/libexec/wb_group acl winauth external wb_group
> > > > wwwusers
> > > > acl staff external wb_group Teachers
> > > > acl students external wb_group Students
> > > > authenticate_ttl 1 hour
> > > > authenticate_ip_ttl 300 seconds
> > > >
> > > >
> > > > #a list of webmail domains from Dansguardian
> > > > acl webmail dstdomain
> > > > "/etc/dansguardian/blacklists/mail/domains"
> > > >
> > > > #some regex expressions that used to work OK with IP based acls
> > > > acl webmail2 urlpath_regex "/usr/local/squid/acls/webmailregex"
> > > >
> > > > acl password proxy_auth REQUIRED
> > > >
> > > > #using this as a test, if I make it a http_access deny TEST all
> > > > it works acl TEST dstdomain .passport.com
> > > >
> > > >
> > > > http_access deny redworm
> > > > http_access deny FTPDownloads PUT
> > > > http_access deny banned-url
> > > > http_access allow manager localhost
> > > > http_access deny manager
> > > > http_access deny CONNECT !SSL_ports
> > > > http_access allow CONNECT SSL_ports
> > > > http_access deny !Safe_ports
> > > > http_access deny to_localhost
> > > > http_access deny all !password
> > > > http_access deny students TEST
> > > > http_access deny students webmail webmail2
> > > > http_access allow local_servers
> > > > http_access allow FTPDownloads
> > > > http_access allow our_networks
> > > > http_access allow olmcwarnings
> > > >
> > > > #And finally deny all other access to this proxy
> > > > http_access allow all
> > >
> > > *****************************************************************
> > >* **********
> > >
> > > > **************
> > > > _________________________________________
> > > > Simon Bryan
> > > > IT Manager
> > > > OLMC Parramata
> > > > ICQ#: 137562751
> > > > _________________________________________
> > >
> > > --
> > > Henrik Nordstrom <hno@squid-cache.org>
> > > MARA Systems AB, Sweden
Received on Mon Feb 17 2003 - 17:12:20 MST