Search squid archive

[squid-users] squid with Windows 2003 group filtering problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Please some one check my config and help me in  sorting this problme..of
squid and windows 2003 group filtering ..

Regards,
Srinivasa Chary
----- Original Message ----- 
From: "Srinivasa Chary" <srinivasc_nts@xxxxxxxxxx>
To: <squid-users@xxxxxxxxxxxxxxx>
Sent: Monday, January 31, 2005 4:34 PM
Subject: [squid-users] squid with Windows 2003 group filtering problem


> Hi All,
>
>  I am getting problem when doing group filtering using from windows 2003
> server.
> I am using squid-2.5.STABLE3 and samba-3.0.0
>
>  i am able to authenticate all the users perfectly with out group
> varification, when i want to do  group filtering it is not applying . can
> some help me in implimenting the group filtering in squid using windows
2003
> group.
>
> The below are the configuration details of my squid, wbinfo_grou and samba
> files.
>
> Squid.conf:
>
> http_port 3128
> cache_effective_user squid
> cache_effective_group squid
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> visible_hostname NTSP1
> debug_options ALL,1 32,2 28,9
>
> auth_param ntlm program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> external_acl_type NT_global_group %LOGIN /etc/squid/wbinfo_group.pl
>
> acl AllowedNTUsers external NT_global_group "/etc/squid/allowedntgroups"
> acl LoggedInUsers proxy_auth REQUIRED
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443 563     # https, snews
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> http_access allow AllowedNTUsers
> http_access allow LoggedInUsers
> http_access deny !AllowedNTUsers
> http_access deny !LoggedInUsers
>
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
>
> http_reply_access allow all
> icp_access allow all
> coredump_dir /var/cache/squid
> cache_dir ufs /var/cache/squid 100 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
>
> ===========================================
>
> smb.conf
>
> [global]
> workgroup = WK3
> netbios name = WK3
> realm = WK3.SERVER
> security = ads
> encrypt passwords = yes
> password server = digital.wk3.server
> # separate domain and username with /, like DOMAIN/username
> winbind separator = /
> # use UIDs from 10000 to 20000 for domain users
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
>
> ======================================================
> wbinfo_group.pl
>
> # external_acl uses shell style lines in it's protocol
> #require 'shellwords.pl';
>
> # Disable output buffering
> $|=1;
>
> sub debug {
>         # Uncomment this to enable debugging
>         #print STDERR "@_\n";
> }
>
> #
> # Check if a user belongs to a group
> #
> sub check {
>         local($user, $group) = @_;
>         $groupSID = `/usr/bin/wbinfo -n "$group"`;
>         #because the new wbinfo -n returns also the group number
>         #we do the following
>         $groupSID = substr($groupSID,0,index($groupSID," ",0));
>         $groupGID = `/usr/bin/wbinfo -Y $groupSID`;
>         chop $groupGID;
>         &debug( "User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-
> \nGID:   -$groupGID-");
> #        return 'OK' if(`/usr/bin/wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
>         $groupmem = `/usr/bin/wbinfo -r $user`;
>         if ($groupmem) {
>                $groupchk = ($groupmem =~ /^$groupGID$/m);
>                if ($groupchk) {
>                        return 'OK';
>                }
>         }
>         return 'ERR';
> }
>
> #
> # Main loop
> #
> while (<STDIN>) {
>         chop;
>         &debug ("Got $_ from squid");
>         #H1 was added by holger
>         @H1=split(/\s+/, $_);
>         #printf ("User:%s\n",$H1[0]);
>         #printf ("Group:%s\n",$H1[1]);
>         $user = $H1[0];
>         $group = $H1[1];
> #        ($user, $group) = &shellwords;
>         $ans = &check($user, $group);
>         &debug ("Sending $ans to squid");
>         print "$ans\n";
> }
>
>
> Thanks in advance
>
> Regards,
> Srinivas
>
>
>
>
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux