Folks,
I need a little help to point me in the right direction. I have set up a
Squid2.5.STABLE3 server on a RedHat 9.0 box using Samba Version
2.2.7a-security-rollup-fix. I have it so that there is 1 windows global
group 'proxydeny' that when a user is in that group he CANNOT access the
web. But when he is NOT in that group the proxy will allow him access
due to the fact that I am allowing all 'Domain Users' access.
My issue is that when I put a user in or out of the 'proxydeny' group it
will not take effect for quite a while (over an hour, haven't waited
longer), unless I restart squid, and winbind. WHY Is this?
Although this is not a show stopper I know it will be an issue in the
future, and I do not want to stop and restart the services every time
someone makes a change.
I need for the squid box to live on its own and have Windows
administrators do their job, and only their job, and never touch a Linux
environment. That way they simply add a user or remove a user to deny or
allow them access to the Internet.
I thought about using a cron job to start and stop the service every 20
minute or so. But that seems like a bit of a hack if there is a real
solution to this problem.
Facts:
- Squid is functioning correctly I have no questions on how to recompile
it or make it work with winbind. The service (squid, winbind, samba) is
functioning correctly.
- Winbindd is configured with 'disable cacheing' with the '-n' switch.
This seems to work correctly because I can use the wb_group program and
test if it detects the insertion or deletion of the user from the group
immediately. Or at least in the time it takes me to type the command
again (or an up arrow).
- Samba functions correctly! People can use the proxy. (but it is not
yet production)
Small Pieces of the configs:
/etc/samba/smb.conf
[global]
workgroup = COMPANYX
netbios name = WINDOWSDC
server string = Squid Proxy
security = DOMAIN
encrypt passwords = Yes
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
wins server = 10.1.6.122
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 0
winbind use default domain = Yes
printing = cups
/etc/squid/squid.conf
...
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 1 seconds
external_acl_type gpuser2 %LOGIN /usr/lib/squid/wb_group
...
acl nt_allow_group external gpuser2
"/etc/squid/acl/acl_allow_groups"
acl nt_deny_group external gpuser2
"/etc/squid/acl/acl_deny_groups"
...
http_access deny nt_deny_group
http_access allow nt_allow_group
...
http_access deny all
...
/etc/squid/acl/acl_deny_groups
proxydeny
/etc/squid/acl/acl_allow_groups
Domain Users
Thanks you for your time and help on this matter.
Joseph M Siegmann
CISSP, CCNA, CCDA, MCSE, MCT
Received on Wed Jul 16 2003 - 09:07:15 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:01 MST