[squid-users] squid with Windows 2003 group filtering problem

From: Srinivasa Chary <srinivasc_nts@dont-contact.us>
Date: Mon, 31 Jan 2005 16:34:15 +0400

Hi All,

 I am getting problem when doing group filtering using from windows 2003
server.
I am using squid-2.5.STABLE3 and samba-3.0.0

 i am able to authenticate all the users perfectly with out group
varification, when i want to do group filtering it is not applying . can
some help me in implimenting the group filtering in squid using windows 2003
group.

The below are the configuration details of my squid, wbinfo_grou and samba
files.

Squid.conf:

http_port 3128
cache_effective_user squid
cache_effective_group squid
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname NTSP1
debug_options ALL,1 32,2 28,9

auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type NT_global_group %LOGIN /etc/squid/wbinfo_group.pl

acl AllowedNTUsers external NT_global_group "/etc/squid/allowedntgroups"
acl LoggedInUsers proxy_auth REQUIRED

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow AllowedNTUsers
http_access allow LoggedInUsers
http_access deny !AllowedNTUsers
http_access deny !LoggedInUsers

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

http_reply_access allow all
icp_access allow all
coredump_dir /var/cache/squid
cache_dir ufs /var/cache/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

===========================================

smb.conf

[global]
workgroup = WK3
netbios name = WK3
realm = WK3.SERVER
security = ads
encrypt passwords = yes
password server = digital.wk3.server
# separate domain and username with /, like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

======================================================
wbinfo_group.pl

# external_acl uses shell style lines in it's protocol
#require 'shellwords.pl';

# Disable output buffering
$|=1;

sub debug {
        # Uncomment this to enable debugging
        #print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        $groupSID = `/usr/bin/wbinfo -n "$group"`;
        #because the new wbinfo -n returns also the group number
        #we do the following
        $groupSID = substr($groupSID,0,index($groupSID," ",0));
        $groupGID = `/usr/bin/wbinfo -Y $groupSID`;
        chop $groupGID;
        &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-
\nGID: -$groupGID-");
# return 'OK' if(`/usr/bin/wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        $groupmem = `/usr/bin/wbinfo -r $user`;
        if ($groupmem) {
               $groupchk = ($groupmem =~ /^$groupGID$/m);
               if ($groupchk) {
                       return 'OK';
               }
        }
        return 'ERR';
}

#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug ("Got $_ from squid");
        #H1 was added by holger
        @H1=split(/\s+/, $_);
        #printf ("User:%s\n",$H1[0]);
        #printf ("Group:%s\n",$H1[1]);
        $user = $H1[0];
        $group = $H1[1];
# ($user, $group) = &shellwords;
        $ans = &check($user, $group);
        &debug ("Sending $ans to squid");
        print "$ans\n";
}

Thanks in advance

Regards,
Srinivas
Received on Mon Jan 31 2005 - 05:33:43 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:36 MST