I use this config and works ok in producion.
Scenario:
AD Win2k3R2
CentOS: 4.4 and 5.1
SMB and winbind: 3.0.10 and 3.0.25b
Squid 2.5.STABLE14 AND 2.6STABLE6
Using NTLM authentication
#Define uthentications parameters
#auth_param digest nonce_max_count 50
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 2
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
# ACCESS CONTROLS
# define una acl para manejar los grupos de windows
# define acls for user groups manage and indcate whith
helper use (this is provided for SAMBA suite)
external_acl_type nt_group ttl=2 children=10 %LOGIN
/usr/lib/squid/wbinfo_group.pl
# define acls
acl Sistemas external nt_group sistemas_ # acl para el
manejo del grupos Sistemas
acl InetAccessControl external nt_group
internet_control # acl para el manejo de grupo
internet_control
acl InetAccessFull external nt_group internet_full
#acl para el manejo de grupo internet_full
acl Autenticados proxy_auth REQUIRED # fuerza el
pedido de autenticacion
# get access using before defined acls
http_access deny urlDenegadas !Sistemas
http_access allow novalida
http_access allow urlAuditoria auditoria
http_access allow Sistemas
http_access allow urlPermitidas InetAccessControl
http_access allow InetAccessFull
http_access deny !Autenticados
http_access deny all
--- Philip Kloppers <philip@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> I have an OpenSuse 10.2 box that runs Samba /
> OpenLDAP as a PDC, as well as
> Squid with delay pools to limit bandwidth dependant
> upon user, group, time
> of day and machine. I have managed to get everything
> working and
> authenticating correctly using smb_ldap_auth and
> smb_ldap_group. However, I
> would like to get the clients to authenticate
> transparently using the domain
> credentials from the initial domain logon, and not
> having to re-authenticate
> every time they open the browser.
>
> The clients (mostly XP with a few FreeNX terminals
> on various Linux
> flavours) are all set up to use the proxy, and then
> iptables rules blocking
> users from bypassing the proxy, so I am not
> transparently intercepting web
> traffic, as I understand that authentication cannot
> be used with a
> transparent proxy.
>
> Is single sign-on a possibility without using an M$
> PDC? All the searching
> seems to point to using ntlm_auth for this sort of
> thing.
>
> Philip
>
> PS: I have tried using ntlm_auth to authenticate
> against the Samba server...
> the users are able to authenticate correctly, but
> still need to re-enter
> their credentials every time they open their
> browsers.
>
>
____________________________________________________________________________________
Special deal for Yahoo! users & friends - No Cost. Get a month of Blockbuster Total Access now
http://tc.deals.yahoo.com/tc/blockbuster/text3.com
