[Samba] Re: samba 3.0.20 + squid 2.5 : automatic logon withinternetexplorer

Rodolphe A. rodolphedj at gmail.com
Mon Jun 26 17:14:58 GMT 2006 

after #net join
Success in line command.I am searching the good sentence for squid.confwith,
or  not with that : --helper-protocol=squid-2.5-ntlmsspan idea ?"Rodolphe
A." <rodolphedj at gmail.com> wrote in message
news:e7p3vv$78g$1 at sea.gmane.org...> thanks for answer.
>
> my problem :
>
> after start winbind, i have tested
> #/usr/bin/ntlm_auth "PARIS.VISEO.NET" --username=root
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> (0xc00000da)
>
> the server squid is samba pdc.
>
>
>
>
>
> "Robert Schetterer" <robert at schetterer.org> wrote in message
> news:449FA0DE.3070000 at schetterer.org...
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Rodolphe A. schrieb:
> > > hello,
> > >
> > > samba is setup PDC with ldap
> > >
> > > client : windows xp pro sp2
> > > server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard
> > >
> > > is it possible to create an automatic logon with internet explorer ?
> > >
> > > perhaps with ntlm_auth, but i can't find the good sentence.
> > >
> > >
> > > thanks.
> > >
> > >
> > >
> > >
> > Hi, i ve did right this and i works now perfekt for nearly a year.
> > But you have many choises to realize this.
> > The setup which will include all possible features with a smb pdc ( with
> > ldap )is like this.
> > If you use firefox or ie with the automatic search proxy setting
> > the search to files like proxy.dat , proxy.pac
> > wpad.dat on  a webserver on the gateway of the lokal network, these
> > files held the data which where the browser will find the proxy.
> > Additional you hav to have entries in you internal
> > dns like
> > wpad.tcp                SRV     0 0 80 wpad
> > wpad                    A       192.168.110.1
> >                         TXT     "service:
> > wpad:!http://intranet.gundk.intern:80/proxy.pac"
> > and on the internal dhcp server
> > like this
> > option wpad code 252 = text;
> > option wpad "http://192.168.110.1/proxy.pac\n";
> > you can find faqs an doku about this on the squid side.
> > I have implemented different groups
> > in the win domain like wwwuser , which can join the internet via proxy ,
> > and a group filteroveride to join directly www without using
> > squidguard ( for admins etc ).
> > So you can manage the groups out from usrmgr.
> >
> > so i have entries like this in squid.conf
> >
> > # user group which are allowed to access the internet in general
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > - --helper-protocol=squid-2.5-ntlmssp
> > - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
> > auth_param basic program /usr/bin/ntlm_auth
> > - --helper-protocol=squid-2.5-basic
> > - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
> > auth_param basic children 5
> >
> > #       auth_param ntlm use_ntlm_negotiate on
> > #       auth_param ntlm max_challenge_reuses 0
> >         auth_param ntlm max_challenge_lifetime 15 minutes
> >
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > acl user proxy_auth REQUIRED
> > http_access allow user
> >
> > #pam auth agains a system group works here too (nss_ldap), we use it to
> > overide the redirector vor vips
> >
> > external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g
> wwwdirect
> > acl direct external unix_group wwwdirect
> > redirector_access deny direct
> > always_direct allow direct
> > http_access allow direct
> >
> > as you see i used the sid of the nt groups , cause their names didint
> > work, to overide the squidgauard i use a system group which is tha same
> > as a nt group cause there is mapping over nss_ldap
> > ( other setups may be better but this works )
> >
> > the i configured winbind to use the lokal smb pdc ( just join your own
> > domain )...im not sure why i did this but i think it was a must with
> > squid , squid must run with a user that is able to join the winbind
> > socket ( see squid, samba doku )
> > After all you need a few iptables rules to forbid bypass the proxy.
> >
> > note you cant use squid auth with a transparent proxy squid setup!
> > But if you dont need auth and the group stuff
> > a setup with a squid transparent proxy and iptables is much more easy to
> > implement  automatic filtering ( see squid faqs how to do this ), if you
> > do so you can only manage things with the source ip of the client
> > computer  , but not by user name or group auth.
> >
> > ( dont copy and paste this , read the faqs )
> > Best Regards
> >
> > - --
> > Mit freundlichen Gruessen
> > Best Regards
> > Robert Schetterer
> >
> > robert_at_schetterer_dot_org
> > Munich / Bavaria / Germany
> > https://www.schetterer.org
> > https://www.schetterer.com/public-gpg-robert-schetterer.key
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (MingW32)
> >
> > iD8DBQFEn6DeNxddAhXBw7QRAg3UAJ4rvf4cloRykMkbpWoyfEK+EEeRkQCfQB+s
> > kf/FSvVp4RbIfgdY6pj1Hmw=
> > =RYf+
> > -----END PGP SIGNATURE-----
> >
> > --
> > Diese Nachricht wurde auf Viren und andere gefährliche Inhalte
untersucht
> > und ist - aktuelle Virenscanner vorausgesetzt - sauber.
> >
> >
> >
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list