> Gavin,
> I know how you feel I battled with winbind and these problems for ages and
> finally it all worked. Below is the relevant parts of my squid.conf.
I'm /almost/ there :) winbindd now seems to work fine, and I can
successfully limit squid access only to those who authenticate using NTLM...
those currently logged into the domain see no pop-up password prompt, and
those roaming can just tap in their on-site user/password/domain into the
box...
However, the grail is to achieve two things:
1) Members of the 'Domain Admins' group are allowed proxy access to any
site, at any time of day
2) All other authenticated users are only permitted to use a set list of
websites during office hours.
At present, if I reference anything relating to NT groups, I just get
'Access Denied' from squid..
Here's my entire squid.conf for 2.5.STABLE2, verbatim:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
acl domainadmins external NT_global_group "Domain Admins"
acl domainmember proxy_auth REQUIRED
acl localhost src 127.0.0.1/255.255.255.255
acl lan src 80.76.192.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl morning time MTWHF 09:00-12:59
acl afternoon time MTWHF 14:00-16:59
acl whitelist dstdomain "/etc/squid.whitelist"
http_access allow localhost
# admins should get full access, whenever, wherever.
http_access allow domainmember domainadmins
# non-admins can only look at certain sites during office hours ...
http_access deny domainmember morning !whitelist
http_access deny domainmember afternoon !whitelist
# ... and all sites outside office hours.
http_access allow domainmember
# non-auth'd users get nada
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
As it stands, this config does not work as I want because members of 'Domain
Admins' group are assigned the same privileges as normal NTLM-auth'd users.
I don't understand this, because:
wintermute:~# /usr/lib/squid/wb_group
floss "Domain Admins"
OK
I've also tried surrounding the Domain Admins group name with single and
double-quoted in squid.conf, but this has made no difference
As always, I'm interested in suggestions :)
Cheers,
Gavin.
Received on Tue Apr 01 2003 - 03:43:52 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:34 MST