On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote: > Avinash Rao wrote: >> >> ---------- Forwarded message ---------- >> From: Avinash Rao <avinash.aol@xxxxxxxxx> >> Date: Tue, Sep 8, 2009 at 11:13 AM >> Subject: Re: Fwd: Need help in integrating squid and samba >> To: Amos Jeffries <squid3@xxxxxxxxxxxxx> >> Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>, >> squid-users@xxxxxxxxxxxxxxx >> >> >> >> >> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> Avinash Rao wrote: >>>> >>>> On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>> >>>>> Avinash Rao wrote: >>>>> >>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom >>>>> >>>>> <henrik@xxxxxxxxxxxxxxxxxxx >>>>> <mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote: >>>>>> >>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao: >>>>>> > I couldn't find any document that shows me how to enable wb_info >>>>>> for squid. >>>>>> > Can anybody help me? >>>>>> >>>>>> external_acl_type NT_Group %LOGIN >>>>>> /usr/local/squid/libexec/wbinfo_group.pl >>>>>> >>>>>> acl group1 external NT_Group group1 >>>>>> >>>>>> >>>>>> then use group1 whenever you want to match users belonging to that >>>>>> Windows group. >>>>>> >>>>>> Regards >>>>>> Henrik >>>>>> >>>>>> >>>>>> Hi Henrik, >>>>>> >>>>>> I have used the following in my squid.conf >>>>>> >>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl >>>>> >>>>> group1 external NT_Group staff >>>>>> >>>>>> acl net time M T W T F S S 9:00-18:00 >>>>>> http_access allow net >>>>>> >>>>>> On my linux server, I have created a group called staff and made a >>>>>> couple >>>>> >>>>> of users a member of this group called staff. My intention is to >>>>> provide >>>>> access to users belonging to group staff on all days from morning 9am - >>>>> 7PM. >>>>> The rest should be denied. >>>>>> >>>>>> But this didn't work, when the Samba users login from a winxp client, >>>>>> it >>>>> >>>>> doesn't get access to internet at all. >>>>> There is no http_access lien making any use of ACL "group1" >>>>> >>>>> And _everybody_ (me included on this side of the Internet) is allowed >>>>> to use >>>>> your proxy between 9am ad 6pm. >>>>> >>>>> >>>>> Amos >>>> >>>> Thanks for the reply, Ya i missed http_access allow group1 >>>> I didn't understand your second statement, are u telling me that i >>>> should deny access to net? >>> >>> You should combine the ACL with others on an http_access line so that its >>> limited to who it allows. >>> >>> This: >>> acl net time M T W T F S S 9:00-18:00 >>> http_access allow net >>> >>> simply says "all requests are allowed between time X and Y". >>> Without additional controls, ie on IP address making the request, you >>> end up with an open proxy. >>> >>> Amos > >> >> Dear Amos, >> >> I am still not able to get this working. Here's what i want to >> accomplish. I have WinXP - SP2 clients logging onto the samba domain >> and LTSP users. All users use squid proxy. My intention is to control >> the samba users from accessing the internet at certain times. >> >> If i don't use the external_acl_type NT_Group as mentioned below, the >> squid works properly for all users, even windows and anybody using >> squid proxy. >> >> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/ >> wbinfo_group.pl >> acl group1 external NT_Group group1 >> I have created a group called staff using net rpc command and i am i >> have made all the users using winxp a member of this group staff. So, >> my acl will look like >> >> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl >> acl acl_name external NT_Group staff >> http_access allow staff >> >> According to my understanding, it should allow only those samba users >> which come under the group staff. But thats not happening, squid >> denies access to the internet. > > _when tested_ it should be doing that. Other rules around it have an effect > that you may have overlooked. > > Then again the group name is case-sensitive. The helper is OS access > permission sensitive, and NTLM auth has difficulties all of its own. > > > I'll need to see the whole access config to know whats going on. And remind > me what version of Squid this is. > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 > hi, root@sunbox:/etc/squid# dpkg -l | grep squid ii squid 2.6.18-1ubuntu3 Internet object cache (WWW proxy cache) ii squid-common 2.6.18-1ubuntu3 Internet object cache (WWW proxy cache) - co squid.conf visible_hostname sunbox hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts http_port 10.10.10.200:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl staffgroup external NT_Group staff acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 993 # IMAP acl Safe_ports port 587 # SMTP acl Safe_ports port 22 # SSH acl purge method PURGE acl special_urls url_regex "/etc/squid/squid-noblock.acl" acl extndeny url_regex -i "/etc/squid/blocks.files.acl" acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt" acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe acl lan src 192.168.1.0 10.10.10.0/24 acl stud ident_regex babu acl download method GET acl CONNECT method CONNECT cache_mem 100 MB #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf ident_lookup_access allow all http_access allow staffgroup http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access allow special_urls http_access deny extndeny download http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny badurl http_access deny malware_block_list deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Thanks Avinash
