i've configured a pdc with samba with ldap authentication. now i want to
auth all proxy client via ntlm auth and wbinfo_group.pl .
i 've configured winbind and squid and all is ok . i've give permission
to group squid on winbind_privileged pipe. all is ok and work greate but
i have a problem when i change some entry on ldap. for example when i
change a member on another group and restart winbing wbinfo -r
domain@user give me the old group.
i think is a problem on privileged pipe (squid lock pipe) and i can
resolv this only doing change on ldap with squid stopped and privileged
pipe on group root . this are my configuration file:
smb.conf
--------------------------------------
#======================= Global Settings
=====================================
[global]
workgroup = NETSYS
server string = Samba Server
passdb backend = ldapsam:ldap://127.0.0.1/
add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g "%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u"
log level = 2
max log size = 2000
security = user
passwd program = /usr/local/sbin/smbldap-passwd.pl %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 34
domain master = yes
preferred master = yes
domain logons = yes
logon path =
logon home =
wins support = yes
dns proxy = no
ldap admin dn = cn=Manager,dc=netsys,dc=it
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=netsys,dc=it
ldap user suffix = ou=Users
[tutti]
path = /home/shares/tutti
write list = @direzione,@aula
create mask = 0770
directory mask = 0770
[direzione]
path = /home/shares/direzione
write list = @direzione
create mask = 0770
directory mask = 0770
#[aula]
# path = /home/share/aula
# write list = @direzione,@aula
# valid users = @aula, @direzione
# force group = aula
# create mask = 0770
# directory mask = 0770
squid.conf
-------------------------------------------------------------------
# WELCOME TO SQUID 2
# ------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# OPTIONS WHICH AFFECT THE CACHE SIZE
#
-----------------------------------------------------------------------------
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#
-----------------------------------------------------------------------------
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
-----------------------------------------------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
/usr/lib/squid/wbinfo_group.pl
# OPTIONS FOR TUNING THE CACHE
#
-----------------------------------------------------------------------------
# TIMEOUTS
#
-----------------------------------------------------------------------------
# ACCESS CONTROLS
#
-----------------------------------------------------------------------------
acl all src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Authenticated proxy_auth REQUIRED
acl navigatori external nt_group internet
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow navigatori
http_access deny !Authenticated
http_access deny all
http_reply_access allow all
icp_access allow all
# ADMINISTRATIVE PARAMETERS
#
-----------------------------------------------------------------------------
# OPTIONS FOR THE CACHE REGISTRATION SERVICE
#
-----------------------------------------------------------------------------
# MISCELLANEOUS
#
-----------------------------------------------------------------------------
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
#
-----------------------------------------------------------------------------
winbind.conf
----------------------------------------------------------------
[global]
workgroup = NETSYS
security = domain
password server = dnsinterno
; impostazioni per il demone winbindd
winbind separator = @
#template shell = /bin/bash
#template homedir = /home/users/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
#winbind enum users = yes
#winbind enum groups = yes
winbind use default domain = yes
