windows nt domains and ip masquerading...

James Sutherland jas88 at
Wed Jul 26 10:51:11 GMT 2000

On Tue, 25 Jul 2000, Shawn Campbell wrote:

> Currently, the college I work for uses a Linux box that does ip
> masquerading/squid webcaching/site/content filtering all on one box.  
> We don't want to censor the websites that faculty/staff have access
> to, just the ones the students have access to (blocking porn sites,
> hate sites, etc).  We could setup a web socks proxy and make an
> adjustment in the web browser for faculty/staff.  Currently, we are
> using microsoft proxy server 2.0.  However, it requires the
> installation of client side software which is inconvenient and limits
> the way the computer can be used in some respects.  I started looking
> on for win32 api information for obtaining the
> necessary information from winNT domains.  Specifically, when a
> computer sends a request to the masq box, it would ask the pdc what
> group the user on that particular computer belongs to, if the group is
> faculty or staff, the masq rules adjust to let those requests go
> through uncensored.  If the user on that machine is a student, their
> requests are filtered.  How feasible is something like that?  I have
> been looking at the Network Management User Functions in the win32
> api.  I believe that samba has equivalents to those functions.  Could
> a perl script be constructed to create such a solution?  Would a more
> elaborate and efficient solution be necessary?  Is such a thing even
> possible?  Perhaps an NT Service in combination with a linux solution?

There's an easier way...

Squid can authenticate users against an NT server, by requesting a
particular file from that server using the username & password supplied.
This will allow you to restrict access to one Squid daemon to a particular
NT group.

If your site filter works via Squid access controls, you can set it so
that users can access a site if (at least) ONE OF "not in blocked list" or
"user is in NT group STAFF" is true.

Now you just need to make sure all WWW access goes via Squid, and that
should be it!


More information about the samba-technical mailing list