after #net join Success in line command.I am searching the good sentence for squid.confwith, or not with that : --helper-protocol=squid-2.5-ntlmsspan idea ?"Rodolphe A." <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]> thanks for answer. > > my problem : > > after start winbind, i have tested > #/usr/bin/ntlm_auth "PARIS.VISEO.NET" --username=root > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > (0xc00000da) > > the server squid is samba pdc. > > > > > > "Robert Schetterer" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Rodolphe A. schrieb: > > > hello, > > > > > > samba is setup PDC with ldap > > > > > > client : windows xp pro sp2 > > > server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard > > > > > > is it possible to create an automatic logon with internet explorer ? > > > > > > perhaps with ntlm_auth, but i can't find the good sentence. > > > > > > > > > thanks. > > > > > > > > > > > > > > Hi, i ve did right this and i works now perfekt for nearly a year. > > But you have many choises to realize this. > > The setup which will include all possible features with a smb pdc ( with > > ldap )is like this. > > If you use firefox or ie with the automatic search proxy setting > > the search to files like proxy.dat , proxy.pac > > wpad.dat on a webserver on the gateway of the lokal network, these > > files held the data which where the browser will find the proxy. > > Additional you hav to have entries in you internal > > dns like > > wpad.tcp SRV 0 0 80 wpad > > wpad A 192.168.110.1 > > TXT "service: > > wpad:!http://intranet.gundk.intern:80/proxy.pac" > > and on the internal dhcp server > > like this > > option wpad code 252 = text; > > option wpad "http://192.168.110.1/proxy.pac\n"; > > you can find faqs an doku about this on the squid side. > > I have implemented different groups > > in the win domain like wwwuser , which can join the internet via proxy , > > and a group filteroveride to join directly www without using > > squidguard ( for admins etc ). > > So you can manage the groups out from usrmgr. > > > > so i have entries like this in squid.conf > > > > # user group which are allowed to access the internet in general > > > > auth_param ntlm program /usr/bin/ntlm_auth > > - --helper-protocol=squid-2.5-ntlmssp > > - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001 > > auth_param basic program /usr/bin/ntlm_auth > > - --helper-protocol=squid-2.5-basic > > - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001 > > auth_param basic children 5 > > > > # auth_param ntlm use_ntlm_negotiate on > > # auth_param ntlm max_challenge_reuses 0 > > auth_param ntlm max_challenge_lifetime 15 minutes > > > > auth_param basic realm Squid proxy-caching web server > > auth_param basic credentialsttl 2 hours > > acl user proxy_auth REQUIRED > > http_access allow user > > > > #pam auth agains a system group works here too (nss_ldap), we use it to > > overide the redirector vor vips > > > > external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g > wwwdirect > > acl direct external unix_group wwwdirect > > redirector_access deny direct > > always_direct allow direct > > http_access allow direct > > > > as you see i used the sid of the nt groups , cause their names didint > > work, to overide the squidgauard i use a system group which is tha same > > as a nt group cause there is mapping over nss_ldap > > ( other setups may be better but this works ) > > > > the i configured winbind to use the lokal smb pdc ( just join your own > > domain )...im not sure why i did this but i think it was a must with > > squid , squid must run with a user that is able to join the winbind > > socket ( see squid, samba doku ) > > After all you need a few iptables rules to forbid bypass the proxy. > > > > note you cant use squid auth with a transparent proxy squid setup! > > But if you dont need auth and the group stuff > > a setup with a squid transparent proxy and iptables is much more easy to > > implement automatic filtering ( see squid faqs how to do this ), if you > > do so you can only manage things with the source ip of the client > > computer , but not by user name or group auth. > > > > ( dont copy and paste this , read the faqs ) > > Best Regards > > > > - -- > > Mit freundlichen Gruessen > > Best Regards > > Robert Schetterer > > > > robert_at_schetterer_dot_org > > Munich / Bavaria / Germany > > https://www.schetterer.org > > https://www.schetterer.com/public-gpg-robert-schetterer.key > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.3 (MingW32) > > > > iD8DBQFEn6DeNxddAhXBw7QRAg3UAJ4rvf4cloRykMkbpWoyfEK+EEeRkQCfQB+s > > kf/FSvVp4RbIfgdY6pj1Hmw= > > =RYf+ > > -----END PGP SIGNATURE----- > > > > -- > > Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht > > und ist - aktuelle Virenscanner vorausgesetzt - sauber. > > > > > > > > > -------------------------------------------------------------------------- -- > ---- > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba