Re: [squid-users] Need help in integrating squid and samba

Avinash Rao wrote:
> ---------- Forwarded message ----------
> From: Avinash Rao <avinash.aol_at_gmail.com>
> Date: Tue, Sep 8, 2009 at 11:13 AM
> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
> To: Amos Jeffries <squid3_at_treenet.co.nz>
> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>, squid-users_at_squid-cache.org
>
>
>
>
> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Avinash Rao wrote:
>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>> Avinash Rao wrote:
>>>>
>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>> <henrik_at_henriknordstrom.net
>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>> > I couldn't find any document that shows me how to enable wb_info
>>>>> for squid.
>>>>> > Can anybody help me?
>>>>>
>>>>> external_acl_type NT_Group %LOGIN
>>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>>>
>>>>> acl group1 external NT_Group group1
>>>>>
>>>>>
>>>>> then use group1 whenever you want to match users belonging to that
>>>>> Windows group.
>>>>>
>>>>> Regards
>>>>> Henrik
>>>>>
>>>>>
>>>>> Hi Henrik,
>>>>>
>>>>> I have used the following in my squid.conf
>>>>>
>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>> group1 external NT_Group staff
>>>>> acl net time M T W T F S S 9:00-18:00
>>>>> http_access allow net
>>>>>
>>>>> On my linux server, I have created a group called staff and made a couple
>>>> of users a member of this group called staff. My intention is to provide
>>>> access to users belonging to group staff on all days from morning 9am - 7PM.
>>>> The rest should be denied.
>>>>> But this didn't work, when the Samba users login from a winxp client, it
>>>> doesn't get access to internet at all.
>>>> There is no http_access lien making any use of ACL "group1"
>>>>
>>>> And _everybody_ (me included on this side of the Internet) is allowed to use
>>>> your proxy between 9am ad 6pm.
>>>>
>>>>
>>>> Amos
>>>
>>> Thanks for the reply, Ya i missed http_access allow group1
>>> I didn't understand your second statement, are u telling me that i
>>> should deny access to net?
>> You should combine the ACL with others on an http_access line so that its limited to who it allows.
>>
>> This:
>> acl net time M T W T F S S 9:00-18:00
>> http_access allow net
>>
>> simply says "all requests are allowed between time X and Y".
>> Without additional controls, ie on IP address making the request, you end up with an open proxy.
>>
>> Amos

>
> Dear Amos,
>
> I am still not able to get this working. Here's what i want to
> accomplish. I have WinXP - SP2 clients logging onto the samba domain
> and LTSP users. All users use squid proxy. My intention is to control
> the samba users from accessing the internet at certain times.
>
> If i don't use the external_acl_type NT_Group as mentioned below, the
> squid works properly for all users, even windows and anybody using
> squid proxy.
>
> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
> wbinfo_group.pl
> acl group1 external NT_Group group1
> I have created a group called staff using net rpc command and i am i
> have made all the users using winxp a member of this group staff. So,
> my acl will look like
>
> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
> acl acl_name external NT_Group staff
> http_access allow staff
>
> According to my understanding, it should allow only those samba users
> which come under the group staff. But thats not happening, squid
> denies access to the internet.

_when tested_ it should be doing that. Other rules around it have an
effect that you may have overlooked.

Then again the group name is case-sensitive. The helper is OS access
permission sensitive, and NTLM auth has difficulties all of its own.

I'll need to see the whole access config to know whats going on. And
remind me what version of Squid this is.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13