Re: [squid-users] Winbind and Windows groups

http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

third paragraph under "supported samba releases".

    'Squid-2.5.STABLE2 will support Samba-2.2.6 to Samba-2.2.7a and
hopefully later Samba versions. To use Squid-2.5.STABLE2 with Samba
versions 2.2.5 or ealier the new --with-samba-sources=... configure
option is required. This may also be the case with Samba-2.2.X
versions later than 2.2.7a or if you have applied any winbind related
patches to your Samba tree.'

Regards
Henrik

On Wednesday 19 February 2003 00.10, Simon Bryan wrote:
> OK, I know about the Changelog, but where is the info on STABLE2, I
> only see refernces to STABLE1 on the Squid site.
>
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Tue, 18. February 2003 7:26 PM
> > To: sbryan@olmc.nsw.edu.au
> > Cc: Squid-Users
> > Subject: Re: [squid-users] Winbind and Windows groups
> >
> >
> > For the current snapshots you need to see the information
> > regarding Squid-2.5.STABLE2. What is said about Squid-2.5.STABLE1
> > does not apply to the current snapshots as the solution for
> > 2.5.STABLE2 is already in place there.
> >
> > When you use a snapshot it is recommended to look into on the
> > Known Bugs page and the ChangeLog to get a view of what have
> > changed since the last STABLE release.
> >
> > The wb_group directory should read winbind_group. Fixing.
> >
> > Regards
> > Henrik
> >
> > On Tuesday 18 February 2003 01.12, Simon Bryan wrote:
> > > The following is in the SQUID FAQ so I thought I would try it
> > > anyway (I currently have Samba 2.2.5), however in the Squid
> > > directories there is no winbindd_nss.h file and in the
> > > 'helper/external_acl' directory there is no wb_group directory
> > >
> > > In the snapshot from 20030123, the winbindd_nss file exists in
> > > the first two directories but the wb_group directory is also
> > > not there.
> > >
> > > Have there been changes in this area and if so woudl they be
> > > effecting my problem? Have re-built with the 20030123 snapshot
> > > but there is no change.
> > >
> > >
> > >
> > > "Squid-2.5.STABLE1 works with Samba 2.2.4 or 2.2.5. Samba With
> > > Samba 2.2.6, the winbindd interface changed and Squid
> > > 2.5.STABLE1 will not work as distributed. Replacing the
> > > winbindd_nss.h file in Squid's
> > > helpers/basic_auth/winbind, helpers/ntlm_auth/winbind and
> > > helpers/external_acl/wb_group/ directories with the version in
> > > Samba's source/nsswitch drectory is needed for the helpers to
> > > work properly."
> > >
> > > > -----Original Message-----
> > > > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > > Sent: Tue, 18. February 2003 9:07 AM
> > > > To: sbryan@olmc.nsw.edu.au
> > > > Subject: Re: [squid-users] Winbind and Windows groups
> > > >
> > > >
> > > > Looks fine from what I can tell, and should work..
> > > >
> > > > But your http_access rules is a bit complex I think, but no
> > > > immediately obvious errors except for the "allow CONNECT ..."
> > > > thing which may override later filters if using https://..
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > > On Monday 17 February 2003 22.19, you wrote:
> > > > > yes, I have the following:
> > > > >
> > > > > auth_param ntlm program
> > > > > /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm
> > > > > children 20
> > > > > auth_param ntlm max_challenge_reuses 0
> > > > > auth_param ntlm max_challenge_lifetime 2 minute
> > > > >
> > > > > auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD
> > > > > -U 10.192.0.11 auth_param basic children 5
> > > > > auth_param basic realm Poxy server at OLMC
> > > > > auth_param basic credentialsttl 1 hour
> > > > >
> > > > > and from below:
> > > > > authenticate_ttl 1 hour
> > > > > acl password proxy_auth REQUIRED
> > > > > http_access deny all !password
> > > > >
> > > > > and the logs show the username as domain\username
> > > > >
> > > > > I take it that this should work then?
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > > > > Sent: Tue, 18. February 2003 2:06 AM
> > > > > > To: sbryan@olmc.nsw.edu.au
> > > > > > Cc: Squid-Users
> > > > > > Subject: Re: [squid-users] Winbind and Windows groups
> > > > > >
> > > > > >
> > > > > > Have you also configured authentication? (auth_param ...)
> > > > > >
> > > > > > The group helpers are only responsible for verifying
> > > > > > group membership, and relies on the authentication
> > > > > > helper(s) to first verify the username and password.
> > > > > >
> > > > > > Regards
> > > > > > Henrik
> > > > > >
> > > > > > mån 2003-02-17 klockan 06.11 skrev Simon Bryan:
> > > > > > > Hi all,
> > > > > > > I have sorted out most of my winbind problems at least
> > > > > > > at Samba
> > > > > >
> > > > > > - command
> > > > > >
> > > > > > > line level. However I still cannot get Squid to
> > > > > > > recognise the
> > > > > >
> > > > > > groups. The
> > > > > >
> > > > > > > relevant kines from my Squid.conf file are below.
> > > > > > > Note that wbinfo -u returns the users, wbinfo -g
> > > > > > > returns the
> > > > > >
> > > > > > groups from the
> > > > > >
> > > > > > > domain, if I feed a correct domain+username groupname
> > > > > > > to
> > > > > >
> > > > > > wb_group it returns
> > > > > >
> > > > > > > 'OK' or 'ERR' as the case may be.
> > > > > > > Is there anything wrong in my conf file that is
> > > > > > > obvious, or can I not do this yet?
> > > > > > >
> > > > > > > Using SQUID snapshot from 13th Feb 03
> > > > > >
> > > > > > *********************************************************
> > > > > >**** **** * *********
> > > > > >
> > > > > > > external_acl_type wb_group %LOGIN
> > > > > > > /usr/local/squid/libexec/wb_group acl winauth external
> > > > > > > wb_group wwwusers
> > > > > > > acl staff external wb_group Teachers
> > > > > > > acl students external wb_group Students
> > > > > > > authenticate_ttl 1 hour
> > > > > > > authenticate_ip_ttl 300 seconds
> > > > > > >
> > > > > > >
> > > > > > > #a list of webmail domains from Dansguardian
> > > > > > > acl webmail dstdomain
> > > > > > > "/etc/dansguardian/blacklists/mail/domains"
> > > > > > >
> > > > > > > #some regex expressions that used to work OK with IP
> > > > > > > based acls acl webmail2 urlpath_regex
> > > > > > > "/usr/local/squid/acls/webmailregex"
> > > > > > >
> > > > > > > acl password proxy_auth REQUIRED
> > > > > > >
> > > > > > > #using this as a test, if I make it a http_access deny
> > > > > > > TEST all it works acl TEST dstdomain .passport.com
> > > > > > >
> > > > > > >
> > > > > > > http_access deny redworm
> > > > > > > http_access deny FTPDownloads PUT
> > > > > > > http_access deny banned-url
> > > > > > > http_access allow manager localhost
> > > > > > > http_access deny manager
> > > > > > > http_access deny CONNECT !SSL_ports
> > > > > > > http_access allow CONNECT SSL_ports
> > > > > > > http_access deny !Safe_ports
> > > > > > > http_access deny to_localhost
> > > > > > > http_access deny all !password
> > > > > > > http_access deny students TEST
> > > > > > > http_access deny students webmail webmail2
> > > > > > > http_access allow local_servers
> > > > > > > http_access allow FTPDownloads
> > > > > > > http_access allow our_networks
> > > > > > > http_access allow olmcwarnings
> > > > > > >
> > > > > > > #And finally deny all other access to this proxy
> > > > > > > http_access allow all
> > > > > >
> > > > > > *********************************************************
> > > > > >**** **** * **********
> > > > > >
> > > > > > > **************
> > > > > > > _________________________________________
> > > > > > > Simon Bryan
> > > > > > > IT Manager
> > > > > > > OLMC Parramata
> > > > > > > ICQ#: 137562751
> > > > > > > _________________________________________
> > > > > >
> > > > > > --
> > > > > > Henrik Nordstrom <hno@squid-cache.org>
> > > > > > MARA Systems AB, Sweden
Received on Wed Feb 19 2003 - 00:25:02 MST