[Samba] Re: samba 3.0.20 + squid 2.5 : automatic logonwithinternetexplorer

Rodolphe A. rodolphedj at gmail.com
Thu Jun 29 11:59:55 GMT 2006 

I can't found the good, sentence for conf squid.

any idea ?


"Rodolphe A." <rodolphedj at gmail.com> wrote in message
news:e7p4u2$b0p$1 at sea.gmane.org...
> after #net join
> Success in line command.I am searching the good sentence for
squid.confwith,
> or  not with that : --helper-protocol=squid-2.5-ntlmsspan idea ?"Rodolphe
> A." <rodolphedj at gmail.com> wrote in message
> news:e7p3vv$78g$1 at sea.gmane.org...> thanks for answer.
> >
> > my problem :
> >
> > after start winbind, i have tested
> > #/usr/bin/ntlm_auth "PARIS.VISEO.NET" --username=root
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > (0xc00000da)
> >
> > the server squid is samba pdc.
> >
> >
> >
> >
> >
> > "Robert Schetterer" <robert at schetterer.org> wrote in message
> > news:449FA0DE.3070000 at schetterer.org...
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Rodolphe A. schrieb:
> > > > hello,
> > > >
> > > > samba is setup PDC with ldap
> > > >
> > > > client : windows xp pro sp2
> > > > server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 +
squidGuard
> > > >
> > > > is it possible to create an automatic logon with internet explorer ?
> > > >
> > > > perhaps with ntlm_auth, but i can't find the good sentence.
> > > >
> > > >
> > > > thanks.
> > > >
> > > >
> > > >
> > > >
> > > Hi, i ve did right this and i works now perfekt for nearly a year.
> > > But you have many choises to realize this.
> > > The setup which will include all possible features with a smb pdc (
with
> > > ldap )is like this.
> > > If you use firefox or ie with the automatic search proxy setting
> > > the search to files like proxy.dat , proxy.pac
> > > wpad.dat on  a webserver on the gateway of the lokal network, these
> > > files held the data which where the browser will find the proxy.
> > > Additional you hav to have entries in you internal
> > > dns like
> > > wpad.tcp                SRV     0 0 80 wpad
> > > wpad                    A       192.168.110.1
> > >                         TXT     "service:
> > > wpad:!http://intranet.gundk.intern:80/proxy.pac"
> > > and on the internal dhcp server
> > > like this
> > > option wpad code 252 = text;
> > > option wpad "http://192.168.110.1/proxy.pac\n";
> > > you can find faqs an doku about this on the squid side.
> > > I have implemented different groups
> > > in the win domain like wwwuser , which can join the internet via proxy
,
> > > and a group filteroveride to join directly www without using
> > > squidguard ( for admins etc ).
> > > So you can manage the groups out from usrmgr.
> > >
> > > so i have entries like this in squid.conf
> > >
> > > # user group which are allowed to access the internet in general
> > >
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > > - --helper-protocol=squid-2.5-ntlmssp
> >
> - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
> > > auth_param basic program /usr/bin/ntlm_auth
> > > - --helper-protocol=squid-2.5-basic
> >
> - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001
> > > auth_param basic children 5
> > >
> > > #       auth_param ntlm use_ntlm_negotiate on
> > > #       auth_param ntlm max_challenge_reuses 0
> > >         auth_param ntlm max_challenge_lifetime 15 minutes
> > >
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hours
> > > acl user proxy_auth REQUIRED
> > > http_access allow user
> > >
> > > #pam auth agains a system group works here too (nss_ldap), we use it
to
> > > overide the redirector vor vips
> > >
> > > external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g
> > wwwdirect
> > > acl direct external unix_group wwwdirect
> > > redirector_access deny direct
> > > always_direct allow direct
> > > http_access allow direct
> > >
> > > as you see i used the sid of the nt groups , cause their names didint
> > > work, to overide the squidgauard i use a system group which is tha
same
> > > as a nt group cause there is mapping over nss_ldap
> > > ( other setups may be better but this works )
> > >
> > > the i configured winbind to use the lokal smb pdc ( just join your own
> > > domain )...im not sure why i did this but i think it was a must with
> > > squid , squid must run with a user that is able to join the winbind
> > > socket ( see squid, samba doku )
> > > After all you need a few iptables rules to forbid bypass the proxy.
> > >
> > > note you cant use squid auth with a transparent proxy squid setup!
> > > But if you dont need auth and the group stuff
> > > a setup with a squid transparent proxy and iptables is much more easy
to
> > > implement  automatic filtering ( see squid faqs how to do this ), if
you
> > > do so you can only manage things with the source ip of the client
> > > computer  , but not by user name or group auth.
> > >
> > > ( dont copy and paste this , read the faqs )
> > > Best Regards
> > >
> > > - --
> > > Mit freundlichen Gruessen
> > > Best Regards
> > > Robert Schetterer
> > >
> > > robert_at_schetterer_dot_org
> > > Munich / Bavaria / Germany
> > > https://www.schetterer.org
> > > https://www.schetterer.com/public-gpg-robert-schetterer.key
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.3 (MingW32)
> > >
> > > iD8DBQFEn6DeNxddAhXBw7QRAg3UAJ4rvf4cloRykMkbpWoyfEK+EEeRkQCfQB+s
> > > kf/FSvVp4RbIfgdY6pj1Hmw=
> > > =RYf+
> > > -----END PGP SIGNATURE-----
> > >
> > > --
> > > Diese Nachricht wurde auf Viren und andere gefährliche Inhalte
> untersucht
> > > und ist - aktuelle Virenscanner vorausgesetzt - sauber.
> > >
> > >
> > >
> >
> >
>
> --------------------------------------------------------------------------
> --
> > ----
> >
> >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list