Re: [squid-users] Winbind and Windows groups

For the current snapshots you need to see the information regarding
Squid-2.5.STABLE2. What is said about Squid-2.5.STABLE1 does not
apply to the current snapshots as the solution for 2.5.STABLE2 is
already in place there.

When you use a snapshot it is recommended to look into on the Known
Bugs page and the ChangeLog to get a view of what have changed since
the last STABLE release.

The wb_group directory should read winbind_group. Fixing.

Regards
Henrik

On Tuesday 18 February 2003 01.12, Simon Bryan wrote:
> The following is in the SQUID FAQ so I thought I would try it
> anyway (I currently have Samba 2.2.5), however in the Squid
> directories there is no winbindd_nss.h file and in the
> 'helper/external_acl' directory there is no wb_group directory
>
> In the snapshot from 20030123, the winbindd_nss file exists in the
> first two directories but the wb_group directory is also not there.
>
> Have there been changes in this area and if so woudl they be
> effecting my problem? Have re-built with the 20030123 snapshot but
> there is no change.
>
>
>
> "Squid-2.5.STABLE1 works with Samba 2.2.4 or 2.2.5. Samba With
> Samba 2.2.6, the winbindd interface changed and Squid 2.5.STABLE1
> will not work as distributed. Replacing the winbindd_nss.h file in
> Squid's
> helpers/basic_auth/winbind, helpers/ntlm_auth/winbind and
> helpers/external_acl/wb_group/ directories with the version in
> Samba's source/nsswitch drectory is needed for the helpers to work
> properly."
>
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Tue, 18. February 2003 9:07 AM
> > To: sbryan@olmc.nsw.edu.au
> > Subject: Re: [squid-users] Winbind and Windows groups
> >
> >
> > Looks fine from what I can tell, and should work..
> >
> > But your http_access rules is a bit complex I think, but no
> > immediately obvious errors except for the "allow CONNECT ..."
> > thing which may override later filters if using https://..
> >
> > Regards
> > Henrik
> >
> > On Monday 17 February 2003 22.19, you wrote:
> > > yes, I have the following:
> > >
> > > auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
> > > auth_param ntlm children 20
> > > auth_param ntlm max_challenge_reuses 0
> > > auth_param ntlm max_challenge_lifetime 2 minute
> > >
> > > auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U
> > > 10.192.0.11 auth_param basic children 5
> > > auth_param basic realm Poxy server at OLMC
> > > auth_param basic credentialsttl 1 hour
> > >
> > > and from below:
> > > authenticate_ttl 1 hour
> > > acl password proxy_auth REQUIRED
> > > http_access deny all !password
> > >
> > > and the logs show the username as domain\username
> > >
> > > I take it that this should work then?
> > >
> > > > -----Original Message-----
> > > > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > > Sent: Tue, 18. February 2003 2:06 AM
> > > > To: sbryan@olmc.nsw.edu.au
> > > > Cc: Squid-Users
> > > > Subject: Re: [squid-users] Winbind and Windows groups
> > > >
> > > >
> > > > Have you also configured authentication? (auth_param ...)
> > > >
> > > > The group helpers are only responsible for verifying group
> > > > membership, and relies on the authentication helper(s) to
> > > > first verify the username and password.
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > > mån 2003-02-17 klockan 06.11 skrev Simon Bryan:
> > > > > Hi all,
> > > > > I have sorted out most of my winbind problems at least at
> > > > > Samba
> > > >
> > > > - command
> > > >
> > > > > line level. However I still cannot get Squid to recognise
> > > > > the
> > > >
> > > > groups. The
> > > >
> > > > > relevant kines from my Squid.conf file are below.
> > > > > Note that wbinfo -u returns the users, wbinfo -g returns
> > > > > the
> > > >
> > > > groups from the
> > > >
> > > > > domain, if I feed a correct domain+username groupname to
> > > >
> > > > wb_group it returns
> > > >
> > > > > 'OK' or 'ERR' as the case may be.
> > > > > Is there anything wrong in my conf file that is obvious, or
> > > > > can I not do this yet?
> > > > >
> > > > > Using SQUID snapshot from 13th Feb 03
> > > >
> > > > *************************************************************
> > > >**** * *********
> > > >
> > > > > external_acl_type wb_group %LOGIN
> > > > > /usr/local/squid/libexec/wb_group acl winauth external
> > > > > wb_group wwwusers
> > > > > acl staff external wb_group Teachers
> > > > > acl students external wb_group Students
> > > > > authenticate_ttl 1 hour
> > > > > authenticate_ip_ttl 300 seconds
> > > > >
> > > > >
> > > > > #a list of webmail domains from Dansguardian
> > > > > acl webmail dstdomain
> > > > > "/etc/dansguardian/blacklists/mail/domains"
> > > > >
> > > > > #some regex expressions that used to work OK with IP based
> > > > > acls acl webmail2 urlpath_regex
> > > > > "/usr/local/squid/acls/webmailregex"
> > > > >
> > > > > acl password proxy_auth REQUIRED
> > > > >
> > > > > #using this as a test, if I make it a http_access deny TEST
> > > > > all it works acl TEST dstdomain .passport.com
> > > > >
> > > > >
> > > > > http_access deny redworm
> > > > > http_access deny FTPDownloads PUT
> > > > > http_access deny banned-url
> > > > > http_access allow manager localhost
> > > > > http_access deny manager
> > > > > http_access deny CONNECT !SSL_ports
> > > > > http_access allow CONNECT SSL_ports
> > > > > http_access deny !Safe_ports
> > > > > http_access deny to_localhost
> > > > > http_access deny all !password
> > > > > http_access deny students TEST
> > > > > http_access deny students webmail webmail2
> > > > > http_access allow local_servers
> > > > > http_access allow FTPDownloads
> > > > > http_access allow our_networks
> > > > > http_access allow olmcwarnings
> > > > >
> > > > > #And finally deny all other access to this proxy
> > > > > http_access allow all
> > > >
> > > > *************************************************************
> > > >**** * **********
> > > >
> > > > > **************
> > > > > _________________________________________
> > > > > Simon Bryan
> > > > > IT Manager
> > > > > OLMC Parramata
> > > > > ICQ#: 137562751
> > > > > _________________________________________
> > > >
> > > > --
> > > > Henrik Nordstrom <hno@squid-cache.org>
> > > > MARA Systems AB, Sweden
Received on Tue Feb 18 2003 - 01:24:44 MST