Search squid archive

samba, lda, ntlm wbinfo-group squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



i've configured a pdc with samba with ldap authentication. now i want to auth all proxy client via ntlm auth and wbinfo_group.pl . i 've configured winbind and squid and all is ok . i've give permission to group squid on winbind_privileged pipe. all is ok and work greate but i have a problem when i change some entry on ldap. for example when i change a member on another group and restart winbing wbinfo -r domain@user give me the old group. i think is a problem on privileged pipe (squid lock pipe) and i can resolv this only doing change on ldap with squid stopped and privileged pipe on group root . this are my configuration file:

smb.conf
--------------------------------------
#======================= Global Settings =====================================
[global]
 workgroup = NETSYS


 server string = Samba Server
 passdb backend = ldapsam:ldap://127.0.0.1/
 add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
 delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
 add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
 delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x "%u" "%g"
 set primary group script = /usr/local/sbin/smbldap-usermod.pl -g "%g" "%u"
 add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u"
 log level = 2
 max log size = 2000
security = user
passwd program = /usr/local/sbin/smbldap-passwd.pl %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 os level = 34
 domain master = yes
 preferred master = yes
 domain logons = yes
 logon path =
 logon home =
 wins support = yes
 dns proxy = no
ldap admin dn = cn=Manager,dc=netsys,dc=it
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=netsys,dc=it
ldap user suffix = ou=Users

[tutti]
path = /home/shares/tutti
write list = @direzione,@aula
create mask = 0770
directory mask = 0770

[direzione]
 path = /home/shares/direzione
 write list = @direzione
 create mask = 0770
 directory mask = 0770
#[aula]
#   path = /home/share/aula
#   write list = @direzione,@aula
#   valid users = @aula, @direzione
#   force group = aula
#   create mask = 0770
#   directory mask = 0770







squid.conf
-------------------------------------------------------------------


#    WELCOME TO SQUID 2
#    ------------------
#
#    This is the default Squid configuration file. You may wish
#    to look at the Squid home page (http://www.squid-cache.org/)
#    for the FAQ and other documentation.
#
#    The default Squid config file shows what the defaults for
#    various options happen to be.  If you don't need to change the
#    default, you shouldn't uncomment the line.  Doing so may cause
#    run-time problems.  In some cases "none" refers to no default
#    setting at all, while in other cases it refers to a valid
#    option - the comments for that keyword indicate if this is the
#    case.
#

http_port 3128
hierarchy_stoplist cgi-bin ?


acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------



# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------


# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------


auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group.pl


# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------


# TIMEOUTS
# -----------------------------------------------------------------------------


# ACCESS CONTROLS
# -----------------------------------------------------------------------------


acl all src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443 563    # https, snews
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
acl Authenticated proxy_auth REQUIRED
acl navigatori external nt_group internet



http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow navigatori
http_access deny !Authenticated
http_access deny all
http_reply_access allow all


icp_access allow all
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------


# OPTIONS FOR THE CACHE REGISTRATION SERVICE
# -----------------------------------------------------------------------------


# MISCELLANEOUS
# -----------------------------------------------------------------------------



# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
# -----------------------------------------------------------------------------













winbind.conf
----------------------------------------------------------------
[global]
workgroup = NETSYS
security = domain
password server = dnsinterno
; impostazioni per il demone winbindd
winbind separator = @
#template shell = /bin/bash
#template homedir = /home/users/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
#winbind enum users = yes
#winbind enum groups = yes
winbind use default domain = yes


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux