[Samba] Squid Users ACL with Samba Primary Domain
Robert Schetterer
robert at schetterer.org
Wed Aug 17 21:11:39 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio G P schrieb:
| Hello!!!
|
| I have installed Suse 9.0 as a Prymary Domain Server with Samba and
| windows clients. It is working ok.
|
| Next step is to configure squid for windows clients but I don´t know hot
| yo implement ACL to control the access of domain users. It is necesary
| to install winbind?
|
| Thank yoy very much for your help because I am a bit lost with this.
|
|
as far i remembered squid and samba in suse 9 ( as far you have the
orginal suse rpms ) had not worked to ntlm auth, cause of a bug in that
squid version.
I cant grant you that it working with suse 9.2. ( cause i have it up and
running
here is a snip from squid.conf
i had to use the sid of the related group cause winbind gaves me no
groupname back ( maybe a suse special or my fault )
( so this is the answer , you have to use winbind for ntlm auth for
squid, hope i remmeber right here )
there are few faqs in the web how to manage this. ( try google for squid
samba )
you have to configure winbind to use the local running samba pdc
- ---snip---
# we give the client browser the proxy entry via dns method, which works
# for firefox and ie, so we produce a pseudo transparent squid proxy
#(real transparent proxy does not work with any auth method , see man
# squid
# user group which are allowed to access the internet in general
auth_param ntlm program /usr/bin/ntlm_auth
- --helper-protocol=squid-2.5-ntlmssp
- --require-membership-of=S-1-5-21-3962140368-478742891-1658383817$
auth_param basic program /usr/bin/ntlm_auth
- --helper-protocol=squid-2.5-basic
- --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-$
auth_param basic children 5
# auth_param ntlm use_ntlm_negotiate on
# auth_param ntlm max_challenge_reuses 0
~ auth_param ntlm max_challenge_lifetime 15 minutes
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl user proxy_auth REQUIRED
http_access allow user
#pam auth against a system group works "here" too (nss_ldap), we use it
#to overide the redirector vor vips
external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g wwwdirect
acl direct external unix_group wwwdirect
redirector_access deny direct
always_direct allow direct
http_access allow direct
- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer
robert_at_schetterer.org
Munich / Bavaria / Germany
https://www.schetterer.org
\**********************************
\* gnupgp
\* public key:
\* https://www.schetterer.org/public.key
\**********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDA6gLb0iqzJq+0MgRAi8/AJ9VMuIB4TLk8/3nPc8WNb8c4/uwBQCcCWb1
qa3Mqm2uJQ8Kqap+5bJ2eFY=
=KK1s
-----END PGP SIGNATURE-----
More information about the samba
mailing list