Re: [squid-users] Samba3 ntlm_auth Helper and Trusted Domains

Would this be the same for Squid 3 enviroment???

Or does one ONLY use winbind?

>
> Hi Everyone,
>
> Here's just a few notes and a quick "how to" for enterprises looking
towards
> migrating a (sizeable) Microsoft proxy and ISA infrastructure to Squid.
Our
> requirements were to produce a Linux, Squid and Samba solution that
> provided;
>
> 1. Transparent authentication of IE clients
> 2. ACL's based on membership of domain NT group
> 3. Support for traversing trusted domains (e.g. a resource domain model)
>
> We have managed to achieve this in a test environment where;
>
> -> The squid proxy is a member server in the Resource domain
> -> Our test users reside in domains trusted by the Resource domain
> -> Resource domain contains a domain local group RESOURCE\ProxyFullAccess
> -> Group RESOURCE\ProxyFullAccess contains user accounts from the trusted
> domains
> -> The Samba3 supplied ntlm_auth helper is used by "auth_param ntlm ..."
> -> The Squid supplied wbinfo_group.pl is used by "external_acl_type ... "
> -> Squid proxy has an ACL to allow http_access for
RESOURCE\ProxyFullAccess
>
> We have used Samba 3.0.0rc2 and Squid-2.5-STABLE3 in our test environment.
> Andrew Tridgell of the Samba team provided us with a patch to make Samba
> domain local group aware WITHOUT having to be a DC for that domain. This
> patch can be found at
> http://samba.org/ftp/tridge/misc/samba3_local_groups.patch
>
> A quick "How To" for your own transparently authenticated, trusted-domain
> aware Squid proxy;
>
> 1. Download Samba-3.0.0rc2 and download the samba3_local_groups patch from
> the URL above
> 2. Patch the Samba source and then ./configure --with-winbind
> --with-winbind-auth-challenge, make and make install
> 3. Using the 'net join' command, join your resource domain, configure
> smb.conf as appropriate
> 4. Start the nmbd daemon. Start the winbindd daemon (test using wbinfo -
you
> can also start winbindd with a "-i" for interactive mode)
> 5. Download Squid-2.5.STABLE3 and then
./configure --enable-auth=basic,ntlm
> --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB
> --enable-ntlm-auth-helpers=SMB,fakeauth --enable-ntlm-fail-open
> --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group
> then make and make install
> 6. Relevant squid.conf bits
>
> auth_param ntlm program /opt/squid/lib/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp -d 3
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> external_acl_type ntgroup_helper %LOGIN /opt/squid/lib/wbinfo_group.pl
> acl proxyfullaccess external ntgroup_helper RESOURCE\ProxyFullAccess
>
> http_access allow proxyfullaccess
> http_access deny all
>
> 7. Find the location of the winbindd_privileged pipe and chgrp squid (or
> your cache_effective_group from squid.conf)
> 8. Kill any running samba daemons and start them (always) in this order -
> nmbd, winbindd and then squid
>
> And that's it! I hope this post helps someone else with a similar goal.
>
> (Many thanks to Tridge from the Samba team!)
>
>
>
> Andrew Wilshire
> IBM / Air New Zealand
> andrew.wilshire@airnz.co.nz
>
> ____________________________________________________________________
> CAUTION - This message may contain privileged and confidential
> information intended only for the use of the addressee named above.
> If you are not the intended recipient of this message you are hereby
> notified that any use, dissemination, distribution or reproduction
> of this message is prohibited. If you have received this message in
> error please notify Air New Zealand immediately. Any views expressed
> in this message are those of the individual sender and may not
> necessarily reflect the views of Air New Zealand.
> _____________________________________________________________________
> For more information on the Air New Zealand Group, visit us online
> at http://www.airnewzealand.com
> _____________________________________________________________________
Received on Mon Nov 03 2003 - 15:26:33 MST