[Samba] Re: samba 3.0.20 + squid 2.5 : automatic logon with internetexplorer

Rodolphe A. rodolphedj at gmail.com
Mon Jun 26 16:58:55 GMT 2006 

thanks for answer.

my problem :

after start winbind, i have tested
#/usr/bin/ntlm_auth "PARIS.VISEO.NET" --username=root
NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
(0xc00000da)

the server squid is samba pdc.





"Robert Schetterer" <robert at schetterer.org> wrote in message
news:449FA0DE.3070000 at schetterer.org...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rodolphe A. schrieb:
> > hello,
> >
> > samba is setup PDC with ldap
> >
> > client : windows xp pro sp2
> > server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard
> >
> > is it possible to create an automatic logon with internet explorer ?
> >
> > perhaps with ntlm_auth, but i can't find the good sentence.
> >
> >
> > thanks.
> >
> >
> >
> >
> Hi, i ve did right this and i works now perfekt for nearly a year.
> But you have many choises to realize this.
> The setup which will include all possible features with a smb pdc ( with
> ldap )is like this.
> If you use firefox or ie with the automatic search proxy setting
> the search to files like proxy.dat , proxy.pac
> wpad.dat on  a webserver on the gateway of the lokal network, these
> files held the data which where the browser will find the proxy.
> Additional you hav to have entries in you internal
> dns like
> wpad.tcp                SRV     0 0 80 wpad
> wpad                    A       192.168.110.1
>                         TXT     "service:
> wpad:!http://intranet.gundk.intern:80/proxy.pac"
> and on the internal dhcp server
> like this
> option wpad code 252 = text;
> option wpad "http://192.168.110.1/proxy.pac\n";
> you can find faqs an doku about this on the squid side.
> I have implemented different groups
> in the win domain like wwwuser , which can join the internet via proxy ,
> and a group filteroveride to join directly www without using
> squidguard ( for admins etc ).
> So you can manage the groups out from usrmgr.
>
> so i have entries like this in squid.conf
>
> # user group which are allowed to access the internet in general
>
> auth_param ntlm program /usr/bin/ntlm_auth
> - --helper-protocol=squid-2.5-ntlmssp
> - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
> auth_param basic program /usr/bin/ntlm_auth
> - --helper-protocol=squid-2.5-basic
> - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
> auth_param basic children 5
>
> #       auth_param ntlm use_ntlm_negotiate on
> #       auth_param ntlm max_challenge_reuses 0
>         auth_param ntlm max_challenge_lifetime 15 minutes
>
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> acl user proxy_auth REQUIRED
> http_access allow user
>
> #pam auth agains a system group works here too (nss_ldap), we use it to
> overide the redirector vor vips
>
> external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g
wwwdirect
> acl direct external unix_group wwwdirect
> redirector_access deny direct
> always_direct allow direct
> http_access allow direct
>
> as you see i used the sid of the nt groups , cause their names didint
> work, to overide the squidgauard i use a system group which is tha same
> as a nt group cause there is mapping over nss_ldap
> ( other setups may be better but this works )
>
> the i configured winbind to use the lokal smb pdc ( just join your own
> domain )...im not sure why i did this but i think it was a must with
> squid , squid must run with a user that is able to join the winbind
> socket ( see squid, samba doku )
> After all you need a few iptables rules to forbid bypass the proxy.
>
> note you cant use squid auth with a transparent proxy squid setup!
> But if you dont need auth and the group stuff
> a setup with a squid transparent proxy and iptables is much more easy to
> implement  automatic filtering ( see squid faqs how to do this ), if you
> do so you can only manage things with the source ip of the client
> computer  , but not by user name or group auth.
>
> ( dont copy and paste this , read the faqs )
> Best Regards
>
> - --
> Mit freundlichen Gruessen
> Best Regards
> Robert Schetterer
>
> robert_at_schetterer_dot_org
> Munich / Bavaria / Germany
> https://www.schetterer.org
> https://www.schetterer.com/public-gpg-robert-schetterer.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32)
>
> iD8DBQFEn6DeNxddAhXBw7QRAg3UAJ4rvf4cloRykMkbpWoyfEK+EEeRkQCfQB+s
> kf/FSvVp4RbIfgdY6pj1Hmw=
> =RYf+
> -----END PGP SIGNATURE-----
>
> --
> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
>
>
>


----------------------------------------------------------------------------
----


> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list