[Samba] samba 3.0.20 + squid 2.5 : automatic logon with internet explorer

Robert Schetterer robert at schetterer.org
Mon Jun 26 08:54:54 GMT 2006

Hash: SHA1

Rodolphe A. schrieb:
> hello,
> samba is setup PDC with ldap
> client : windows xp pro sp2
> server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard
> is it possible to create an automatic logon with internet explorer ?
> perhaps with ntlm_auth, but i can't find the good sentence.
> thanks.
Hi, i ve did right this and i works now perfekt for nearly a year.
But you have many choises to realize this.
The setup which will include all possible features with a smb pdc ( with
ldap )is like this.
If you use firefox or ie with the automatic search proxy setting
the search to files like proxy.dat , proxy.pac
wpad.dat on  a webserver on the gateway of the lokal network, these
files held the data which where the browser will find the proxy.
Additional you hav to have entries in you internal
dns like
wpad.tcp                SRV     0 0 80 wpad
wpad                    A
                        TXT     "service:
and on the internal dhcp server
like this
option wpad code 252 = text;
option wpad "\n";
you can find faqs an doku about this on the squid side.
I have implemented different groups
in the win domain like wwwuser , which can join the internet via proxy ,
and a group filteroveride to join directly www without using
squidguard ( for admins etc ).
So you can manage the groups out from usrmgr.

so i have entries like this in squid.conf

# user group which are allowed to access the internet in general

auth_param ntlm program /usr/bin/ntlm_auth
- --helper-protocol=squid-2.5-ntlmssp
- --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
auth_param basic program /usr/bin/ntlm_auth
- --helper-protocol=squid-2.5-basic
- --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
auth_param basic children 5

#       auth_param ntlm use_ntlm_negotiate on
#       auth_param ntlm max_challenge_reuses 0
        auth_param ntlm max_challenge_lifetime 15 minutes

auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl user proxy_auth REQUIRED
http_access allow user

#pam auth agains a system group works here too (nss_ldap), we use it to
overide the redirector vor vips

external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g wwwdirect
acl direct external unix_group wwwdirect
redirector_access deny direct
always_direct allow direct
http_access allow direct

as you see i used the sid of the nt groups , cause their names didint
work, to overide the squidgauard i use a system group which is tha same
as a nt group cause there is mapping over nss_ldap
( other setups may be better but this works )

the i configured winbind to use the lokal smb pdc ( just join your own
domain )...im not sure why i did this but i think it was a must with
squid , squid must run with a user that is able to join the winbind
socket ( see squid, samba doku )
After all you need a few iptables rules to forbid bypass the proxy.

note you cant use squid auth with a transparent proxy squid setup!
But if you dont need auth and the group stuff
a setup with a squid transparent proxy and iptables is much more easy to
implement  automatic filtering ( see squid faqs how to do this ), if you
do so you can only manage things with the source ip of the client
computer  , but not by user name or group auth.

( dont copy and paste this , read the faqs )
Best Regards

- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer

Munich / Bavaria / Germany
Version: GnuPG v1.4.3 (MingW32)


Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
und ist - aktuelle Virenscanner vorausgesetzt - sauber.

More information about the samba mailing list