Search squid archive

Re: Need help in integrating squid and samba

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote:
> Avinash Rao wrote:
>>
>> ---------- Forwarded message ----------
>> From: Avinash Rao <avinash.aol@xxxxxxxxx>
>> Date: Tue, Sep 8, 2009 at 11:13 AM
>> Subject: Re: Fwd:  Need help in integrating squid and samba
>> To: Amos Jeffries <squid3@xxxxxxxxxxxxx>
>> Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>,
>> squid-users@xxxxxxxxxxxxxxx
>>
>>
>>
>>
>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx>
>> wrote:
>>>
>>> Avinash Rao wrote:
>>>>
>>>> On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>>>>>
>>>>> Avinash Rao wrote:
>>>>>
>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>
>>>>> <henrik@xxxxxxxxxxxxxxxxxxx
>>>>> <mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote:
>>>>>>
>>>>>>  sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>>   > I couldn't find any document that shows me how to enable wb_info
>>>>>>  for squid.
>>>>>>   > Can anybody help me?
>>>>>>
>>>>>>  external_acl_type NT_Group %LOGIN
>>>>>>  /usr/local/squid/libexec/wbinfo_group.pl
>>>>>>
>>>>>>  acl group1 external NT_Group group1
>>>>>>
>>>>>>
>>>>>>  then use group1 whenever you want to match users belonging to that
>>>>>>  Windows group.
>>>>>>
>>>>>>  Regards
>>>>>>  Henrik
>>>>>>
>>>>>>
>>>>>> Hi Henrik,
>>>>>>
>>>>>> I have used the following in my squid.conf
>>>>>>
>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>>>
>>>>> group1 external NT_Group staff
>>>>>>
>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>> http_access allow net
>>>>>>
>>>>>> On my linux server, I have created a group called staff and made a
>>>>>> couple
>>>>>
>>>>> of users a member of this group called staff. My intention is to
>>>>> provide
>>>>> access to users belonging to group staff on all days from morning 9am -
>>>>> 7PM.
>>>>> The rest should be denied.
>>>>>>
>>>>>> But this didn't work, when the Samba users login from a winxp client,
>>>>>> it
>>>>>
>>>>> doesn't get access to internet at all.
>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>
>>>>> And _everybody_ (me included on this side of the Internet) is allowed
>>>>> to use
>>>>> your proxy between 9am ad 6pm.
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>> I didn't understand your second statement, are u telling me that i
>>>> should deny access to net?
>>>
>>> You should combine the ACL with others on an http_access line so that its
>>> limited to who it allows.
>>>
>>> This:
>>>  acl net time M T W T F S S 9:00-18:00
>>>  http_access allow net
>>>
>>> simply says "all requests are allowed between time X and Y".
>>> Without additional controls, ie on IP address making the request,  you
>>> end up with an open proxy.
>>>
>>> Amos
>
>>
>> Dear Amos,
>>
>> I am still not able to get this working.  Here's what i want to
>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>> and LTSP users. All users use squid proxy. My intention is to control
>> the samba users from accessing the internet at certain times.
>>
>> If i don't use the external_acl_type NT_Group as mentioned below, the
>> squid works properly for all users, even windows and anybody using
>> squid proxy.
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>> wbinfo_group.pl
>> acl group1 external NT_Group group1
>> I have created a group called staff using net rpc command and i am i
>> have made all the users using winxp a member of this group staff. So,
>> my acl will look like
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>> acl acl_name external NT_Group staff
>> http_access allow staff
>>
>> According to my understanding, it should allow only those samba users
>> which come under the group staff. But thats not happening, squid
>> denies access to the internet.
>
> _when tested_ it should be doing that. Other rules around it have an effect
> that you may have overlooked.
>
> Then again the group name is case-sensitive. The helper is OS access
> permission sensitive, and NTLM auth has difficulties all of its own.
>
>
> I'll need to see the whole access config to know whats going on. And remind
> me what version of Squid this is.
>
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>  Current Beta Squid 3.1.0.13
>

hi,


root@sunbox:/etc/squid# dpkg -l | grep squid
ii  squid                                 2.6.18-1ubuntu3
                        Internet object cache (WWW proxy cache)
ii  squid-common                          2.6.18-1ubuntu3
                        Internet object cache (WWW proxy cache) - co

squid.conf

visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
http_port 10.10.10.200:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl staffgroup external NT_Group staff

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443 563           # https, snews
acl Safe_ports port 70                # gopher
acl Safe_ports port 210               # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280               # http-mgmt
acl Safe_ports port 488               # gss-http
acl Safe_ports port 591               # filemaker
acl Safe_ports port 631               # cups
acl Safe_ports port 777               # multiling http
acl Safe_ports port 901               # SWAT
acl Safe_ports port 993		      # IMAP
acl Safe_ports port 587		      # SMTP		
acl Safe_ports port 22                # SSH
acl purge method PURGE
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
acl lan src 192.168.1.0 10.10.10.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access allow staffgroup
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid


Thanks
Avinash


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux