Please some one check my config and help me in sorting this problme..of
squid and windows 2003 group filtering ..
Regards,
Srinivasa Chary
----- Original Message -----
From: "Srinivasa Chary" <srinivasc_nts@omzest.com>
To: <squid-users@squid-cache.org>
Sent: Monday, January 31, 2005 4:34 PM
Subject: [squid-users] squid with Windows 2003 group filtering problem
> Hi All,
>
> I am getting problem when doing group filtering using from windows 2003
> server.
> I am using squid-2.5.STABLE3 and samba-3.0.0
>
> i am able to authenticate all the users perfectly with out group
> varification, when i want to do group filtering it is not applying . can
> some help me in implimenting the group filtering in squid using windows
2003
> group.
>
> The below are the configuration details of my squid, wbinfo_grou and samba
> files.
>
> Squid.conf:
>
> http_port 3128
> cache_effective_user squid
> cache_effective_group squid
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> visible_hostname NTSP1
> debug_options ALL,1 32,2 28,9
>
> auth_param ntlm program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> external_acl_type NT_global_group %LOGIN /etc/squid/wbinfo_group.pl
>
> acl AllowedNTUsers external NT_global_group "/etc/squid/allowedntgroups"
> acl LoggedInUsers proxy_auth REQUIRED
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow AllowedNTUsers
> http_access allow LoggedInUsers
> http_access deny !AllowedNTUsers
> http_access deny !LoggedInUsers
>
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
>
> http_reply_access allow all
> icp_access allow all
> coredump_dir /var/cache/squid
> cache_dir ufs /var/cache/squid 100 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
>
> ===========================================
>
> smb.conf
>
> [global]
> workgroup = WK3
> netbios name = WK3
> realm = WK3.SERVER
> security = ads
> encrypt passwords = yes
> password server = digital.wk3.server
> # separate domain and username with /, like DOMAIN/username
> winbind separator = /
> # use UIDs from 10000 to 20000 for domain users
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
>
> ======================================================
> wbinfo_group.pl
>
> # external_acl uses shell style lines in it's protocol
> #require 'shellwords.pl';
>
> # Disable output buffering
> $|=1;
>
> sub debug {
> # Uncomment this to enable debugging
> #print STDERR "@_\n";
> }
>
> #
> # Check if a user belongs to a group
> #
> sub check {
> local($user, $group) = @_;
> $groupSID = `/usr/bin/wbinfo -n "$group"`;
> #because the new wbinfo -n returns also the group number
> #we do the following
> $groupSID = substr($groupSID,0,index($groupSID," ",0));
> $groupGID = `/usr/bin/wbinfo -Y $groupSID`;
> chop $groupGID;
> &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-
> \nGID: -$groupGID-");
> # return 'OK' if(`/usr/bin/wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
> $groupmem = `/usr/bin/wbinfo -r $user`;
> if ($groupmem) {
> $groupchk = ($groupmem =~ /^$groupGID$/m);
> if ($groupchk) {
> return 'OK';
> }
> }
> return 'ERR';
> }
>
> #
> # Main loop
> #
> while (<STDIN>) {
> chop;
> &debug ("Got $_ from squid");
> #H1 was added by holger
> @H1=split(/\s+/, $_);
> #printf ("User:%s\n",$H1[0]);
> #printf ("Group:%s\n",$H1[1]);
> $user = $H1[0];
> $group = $H1[1];
> # ($user, $group) = &shellwords;
> $ans = &check($user, $group);
> &debug ("Sending $ans to squid");
> print "$ans\n";
> }
>
>
> Thanks in advance
>
> Regards,
> Srinivas
>
>
>
>
Received on Wed Feb 02 2005 - 21:27:44 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST