thanks for answer. my problem :
after start winbind, i have tested #/usr/bin/ntlm_auth "PARIS.VISEO.NET" --username=root NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) the server squid is samba pdc. "Robert Schetterer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rodolphe A. schrieb: > > hello, > > > > samba is setup PDC with ldap > > > > client : windows xp pro sp2 > > server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard > > > > is it possible to create an automatic logon with internet explorer ? > > > > perhaps with ntlm_auth, but i can't find the good sentence. > > > > > > thanks. > > > > > > > > > Hi, i ve did right this and i works now perfekt for nearly a year. > But you have many choises to realize this. > The setup which will include all possible features with a smb pdc ( with > ldap )is like this. > If you use firefox or ie with the automatic search proxy setting > the search to files like proxy.dat , proxy.pac > wpad.dat on a webserver on the gateway of the lokal network, these > files held the data which where the browser will find the proxy. > Additional you hav to have entries in you internal > dns like > wpad.tcp SRV 0 0 80 wpad > wpad A 192.168.110.1 > TXT "service: > wpad:!http://intranet.gundk.intern:80/proxy.pac" > and on the internal dhcp server > like this > option wpad code 252 = text; > option wpad "http://192.168.110.1/proxy.pac\n"; > you can find faqs an doku about this on the squid side. > I have implemented different groups > in the win domain like wwwuser , which can join the internet via proxy , > and a group filteroveride to join directly www without using > squidguard ( for admins etc ). > So you can manage the groups out from usrmgr. > > so i have entries like this in squid.conf > > # user group which are allowed to access the internet in general > > auth_param ntlm program /usr/bin/ntlm_auth > - --helper-protocol=squid-2.5-ntlmssp > - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001 > auth_param basic program /usr/bin/ntlm_auth > - --helper-protocol=squid-2.5-basic > - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001 > auth_param basic children 5 > > # auth_param ntlm use_ntlm_negotiate on > # auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 15 minutes > > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > acl user proxy_auth REQUIRED > http_access allow user > > #pam auth agains a system group works here too (nss_ldap), we use it to > overide the redirector vor vips > > external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g wwwdirect > acl direct external unix_group wwwdirect > redirector_access deny direct > always_direct allow direct > http_access allow direct > > as you see i used the sid of the nt groups , cause their names didint > work, to overide the squidgauard i use a system group which is tha same > as a nt group cause there is mapping over nss_ldap > ( other setups may be better but this works ) > > the i configured winbind to use the lokal smb pdc ( just join your own > domain )...im not sure why i did this but i think it was a must with > squid , squid must run with a user that is able to join the winbind > socket ( see squid, samba doku ) > After all you need a few iptables rules to forbid bypass the proxy. > > note you cant use squid auth with a transparent proxy squid setup! > But if you dont need auth and the group stuff > a setup with a squid transparent proxy and iptables is much more easy to > implement automatic filtering ( see squid faqs how to do this ), if you > do so you can only manage things with the source ip of the client > computer , but not by user name or group auth. > > ( dont copy and paste this , read the faqs ) > Best Regards > > - -- > Mit freundlichen Gruessen > Best Regards > Robert Schetterer > > robert_at_schetterer_dot_org > Munich / Bavaria / Germany > https://www.schetterer.org > https://www.schetterer.com/public-gpg-robert-schetterer.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (MingW32) > > iD8DBQFEn6DeNxddAhXBw7QRAg3UAJ4rvf4cloRykMkbpWoyfEK+EEeRkQCfQB+s > kf/FSvVp4RbIfgdY6pj1Hmw= > =RYf+ > -----END PGP SIGNATURE----- > > -- > Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht > und ist - aktuelle Virenscanner vorausgesetzt - sauber. > > > ---------------------------------------------------------------------------- ---- > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba