Hi everyone,
I have Squid configured with Winbind 3.x to do NTLM authentication to
only allow a limited subset of sites to people who are not in an
"Internet access" group.
Everything works OK - users in the group can access everything, users in
the group can access only the sites in the allowedsites list, except the
case where a limited user tried to access a site they don't have access
to, both IE and Firefox pops up a dialog asking for credentials, instead
of failing them with an "Access denied" message.
On another machine using Winbind 2.x I have a similar configuration with
the old helpers, and it does fail the way I want. It was using
'external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -c'
however, instead of 'proxy_auth'. Can I make the browsers work how I
want with the new method?
Relevant config sections:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
--require-membership-of="DOMAIN\\Internet"
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
acl allowedsites dstdomain "/etc/squid/allowedsites"
acl fullusers proxy_auth REQUIRED
http_access allow localhost
http_access allow allowedsites
http_access allow fullusers
http_access deny all
Thanks,
Craig
Received on Wed Jun 08 2005 - 18:09:30 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT