Hi All,
I am getting problem when doing group filtering using from windows 2003
server.
I am using squid-2.5.STABLE3 and samba-3.0.0
i am able to authenticate all the users perfectly with out group
varification, when i want to do group filtering it is not applying . can
some help me in implimenting the group filtering in squid using windows 2003
group.
The below are the configuration details of my squid, wbinfo_grou and samba
files.
Squid.conf:
http_port 3128
cache_effective_user squid
cache_effective_group squid
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname NTSP1
debug_options ALL,1 32,2 28,9
auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type NT_global_group %LOGIN /etc/squid/wbinfo_group.pl
acl AllowedNTUsers external NT_global_group "/etc/squid/allowedntgroups"
acl LoggedInUsers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow AllowedNTUsers
http_access allow LoggedInUsers
http_access deny !AllowedNTUsers
http_access deny !LoggedInUsers
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache/squid
cache_dir ufs /var/cache/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
===========================================
smb.conf
[global]
workgroup = WK3
netbios name = WK3
realm = WK3.SERVER
security = ads
encrypt passwords = yes
password server = digital.wk3.server
# separate domain and username with /, like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
======================================================
wbinfo_group.pl
# external_acl uses shell style lines in it's protocol
#require 'shellwords.pl';
# Disable output buffering
$|=1;
sub debug {
# Uncomment this to enable debugging
#print STDERR "@_\n";
}
#
# Check if a user belongs to a group
#
sub check {
local($user, $group) = @_;
$groupSID = `/usr/bin/wbinfo -n "$group"`;
#because the new wbinfo -n returns also the group number
#we do the following
$groupSID = substr($groupSID,0,index($groupSID," ",0));
$groupGID = `/usr/bin/wbinfo -Y $groupSID`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-
\nGID: -$groupGID-");
# return 'OK' if(`/usr/bin/wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
$groupmem = `/usr/bin/wbinfo -r $user`;
if ($groupmem) {
$groupchk = ($groupmem =~ /^$groupGID$/m);
if ($groupchk) {
return 'OK';
}
}
return 'ERR';
}
#
# Main loop
#
while (<STDIN>) {
chop;
&debug ("Got $_ from squid");
#H1 was added by holger
@H1=split(/\s+/, $_);
#printf ("User:%s\n",$H1[0]);
#printf ("Group:%s\n",$H1[1]);
$user = $H1[0];
$group = $H1[1];
# ($user, $group) = &shellwords;
$ans = &check($user, $group);
&debug ("Sending $ans to squid");
print "$ans\n";
}
Thanks in advance
Regards,
Srinivas
