Hi!
I'm having problem getting authentication with groups. I'm using the helper that is part of samba 3.0, not the squid helper. Basic authentication e ntlm authentication work fine, but I cannot get wbinfo_group.pl working.
[Scenario]: box with redhat 9+ samba 3 + squid 2.5. STABLE4
Configuration of squid.conf
auth_param ntlm program /usr/local/samba/bin/ntlm_auth --debug-level= 10 --helper-protocol=squid-2.5-ntlmssp --nt-response
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 15 minutes
authenticate_ttl 1 hour
external_acl_type wbinfo_group_helper ttl=300 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl gruppoInternet external wbinfo_group_helper -i "/etc/squid/gruppi/Internet"
acl password proxy_auth REQUIRED
http_access deny password !gruppoInternet
http_access deny all
The file /etc/squid/gruppi/Internet has the name of group. With samba 2.2.8a it works fine
Configuration of samba
#/usr/local/samba/lib/Smb.conf
[global]
workgroup = advnet
server string = Samba Server on %v
hosts allow = 192.168.150. 127.
log file = /var/log/samba/%m.log
max log size = 1000
security = domain
password server = srvadvnet
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
interfaces = 192.168.150.250/24
domain master = no
preferred master = no
wins support = no
#********************winbindd************************
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-65000
idmap gid = 10000-65000
winbind enum users = yes
winbind enum groups = yes
Samba 3.00 ./configure --with-winbind --with-winbind-auth-challenge --with-msdfs --w
ith-smbwrapper --with-smbmount --with-pam_smbpass --with-nmbd
Squid2.5STABLE4: ./configure --enable-auth=basic,digest,ntlm
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group
--enable-kill-parent-hack --enable-err-language=italian
I've changed the permissions for the directory winbindd_priviledged and file pipe:
[root@X007 locks]# ls -laF
drwxr-x--- 2 root squid 4096 20 nov 14:02 winbindd_privileged/
srwxrwxrwx 1 root root 0 20 nov 14:02 pipe
I change the wbinfo_group.pl as http://itmanagers.net/posts10-0.html&postdays=0&postorder=asc&highlight=
[root@X007 squid]# vi /usr/lib/squid/wbinfo_group.pl
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#
# external_acl uses shell style lines in it's protocol
#require 'shellwords.pl';
# Disable output buffering
$|=1;
sub debug {
# Uncomment this to enable debugging
#print STDERR "@_\n";
}
#
# Check if a user belongs to a group
#
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group"`;
chop $groupSID;
$groupGID = `wbinfo -Y $groupSID`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}
sub shellwords {
local (@words, $user, $group);
($user = $1, $group = $2) if (s/.*\\(.*)\s(.*)//);
push (@words, $user, $group);
@words;
}
#
# Main loop
#
while (<STDIN>) {
chop;
&debug ("Got $_ from squid");
($user, $group) = &shellwords;
$ans = &check($user, $group);
&debug ("Sending $ans to squid");
print "$ans\n";
}
Thanks for all help.
Regards
Ps. : excuse me for the previous italian mail.
Samantha Cicchelero
ADVNET s.r.l.
Via Marco Corner, n. 19
36016 Thiene (VI)
ITALY
Phone +39 0445 371093
Fax +39 0445 371094
Web Site http://www.advnet.it
Ai sensi della Legge 675/96 si precisa che le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Qualora il messaggio in parola Le fosse pervenuto per errore, la preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie.
This message for the law 675/96, may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Received on Thu Nov 20 2003 - 08:58:29 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:25 MST