[squid-users] integrating squid/linux with windows 2003 domain controller and active directory
Dear All, We have this situation: 1. internet proxy for a company is a suse 9.0 linux dist with squid-2.5.STABLE3-110 2. proxy authentication is required 3. usernames/password should be taken from the company's windows' active directory 4. there are three groups of users: three different acls are required: - average joe user can only view some sites based on a list - leaders can view anything, but only http and https - sysadmins can ftp, too 5. group membership should also be taken from windows 6. pre-windows2000 protocols are not enabled because of security policy and requirements, maybe this is the reason why msnt_auth doesn't seem to work. On a DC that enables NT4's protocols, msnt_auth works. 7. both ldap_auth authenticators I couldn't get working, although I have seen the ldap tree scheme, maybe I was wrong understanding it. My question is: - does anybody have experience and tips how to get this working? - will ntlm_auth or msnt_auth work at all with w2k or newer when nt4's older ntlm and lanman is disabled? - can ldap_auth work with active directory? - can we use group membership info somehow? - is there any way to create a local (open)ldap replica based on the AD? - should we use pam_auth and pam_ldap instead? or kerberos? I could't find good exaples on google yet, to help us get it right. If me and collegaues can't cope with it, we'll have to move back to MS ISA proxy, which personally I don't really like. thank you very much for your help people! with regards N.N.
[squid-users] Squid with no disk cache
Hello All, running Squid 2.5 as an HTTP accelerator on a linux machine. I have a machines with large memory (2G). When I check my system I/O I can see that I have a bottleneck in disk IO. I would like to config my squid to use only memmory cache (without writing the cache to the local disk). Any idea how to do it? Regards, Eyal
[squid-users] New to Squid & need to upgrade to 2.5
I have inherited a Windows NT 4.0 network that is running Squid 2.3.Stable4. The issue is that 2.3Stable4 has a file upload limit of 1MB. I am needing to upgrade to 2.5 because it doesn't have the upload restriction. Just in the past week this is first I have heard of Squid, so I am needing some guidance in this upgrade process. Any help that could be provided would be greatly appreciated. Thanks, KWH __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
[squid-users] conf squid to use a specific interface
Hey All... A while back I posted an inquiry about directing squid's traffic over a specific network interface: how to ... configure Squid to use one specific ethernet interface in the machine for outbound traffic to destination web sites? I have tried using "tcp_outgoing_address 12.219.10.10" but it doesn't seem to be working. And Henrik kindly replied: What you are missing is proper routing within your OS to make it route traffic assigned to that NIC out via the provider connected to that NIC. You could also change the default route of your server, but this may have impact on other traffic. Some faq was suggested for Linux environments, but I'm running on FreeBSD 5.2. I do not want to change the default route. Is there some other config option in Squid to handle this? I'm reading up on the IPFW functionality in FreeBSD; sounds like it can route TCP traffic on a per-port basis. Is this the correct approach? If so, does anyone have a sample of ipfw rules they're using for this? -Thanks, Wayne
RE: [squid-users] integrating squid/linux with windows 2003 domain controller and active directory
Before you move back to ISA, I think I can help. I was able to get it to work by ensuring that the machine object in AD is pre-windows 2000 compatible, and also by disabling SMB signing at the DC (you have to do that using the security templates). It occurred to me as I was reading this that it may be possible to define some rules in your IPSec policy that disable signing only for communication with the squid machines. I haven't tried that, so I don't know if it would work (I am not even sure it has that functionality), but it may be worth a try. > -Original Message- > From: narancs [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 08, 2004 1:21 AM > To: [EMAIL PROTECTED] > Subject: [squid-users] integrating squid/linux with windows > 2003 domain controller and active directory > Importance: High > > > Dear All, > > We have this situation: > > 1. internet proxy for a company is a suse 9.0 linux dist with > squid-2.5.STABLE3-110 2. proxy authentication is required 3. > usernames/password should be taken from the company's > windows' active directory 4. there are three groups of users: > three different acls are required: > - average joe user can only view some sites based on a list > - leaders can view anything, but only http and https > - sysadmins can ftp, too > 5. group membership should also be taken from windows > 6. pre-windows2000 protocols are not enabled because of > security policy and requirements, maybe this is the reason > why msnt_auth doesn't seem to work. On a DC that enables > NT4's protocols, msnt_auth works. 7. both ldap_auth > authenticators I couldn't get working, although I have seen > the ldap tree scheme, maybe I was wrong understanding it. > > My question is: > - does anybody have experience and tips how to get this working? > - will ntlm_auth or msnt_auth work at all with w2k or newer > when nt4's older ntlm and lanman is disabled? > - can ldap_auth work with active directory? Haven't tried it, but interesting question . . . > - can we use group membership info somehow? Yes, I have been able to get it to work using Samba and Winbind. I seem to remember having to replace the wb_ files from Samba to Squid though, one in particular was wb_group if I remember correctly. It has been a while, so I am trying to remember. > - is there any way to create a local (open)ldap replica based > on the AD? I don't have an answer to that one, although if it is possible, it could allow for a range of other possibilities as well. > - should we use pam_auth and pam_ldap instead? or kerberos? I didn't need to go that far with it. > > I could't find good exaples on google yet, to help us get it right. > > If me and collegaues can't cope with it, we'll have to move > back to MS ISA proxy, which personally I don't really like. > > thank you very much for your help people! > with regards > N.N. Also, keep in mind I used Samba 2.x and Winbindd. That worked for me, and I haven't tested out Samba 3 yet, although I hear it is a drastic improvement. The thing about all of this is that it doesn't "just work." You kinda have to tinker with it. The wb_ files that come with Squid(correct me if I am wrong someone) don't always play nice with whatever current version Samba you are running, so you either need to get versions that match up, or you have to replace out the files. Maybe someone on the list has more details than I do about that? Thanks, Mark > >
Re: [squid-users] New to Squid & need to upgrade to 2.5
Hi, At 16.33 08/09/2004, kmo vern wrote: I have inherited a Windows NT 4.0 network that is running Squid 2.3.Stable4. The issue is that 2.3Stable4 has a file upload limit of 1MB. I am needing to upgrade to 2.5 because it doesn't have the upload restriction. Just in the past week this is first I have heard of Squid, so I am needing some guidance in this upgrade process. Any help that could be provided would be greatly appreciated. You can find the latest binaries for Windows here: http://www.acmeconsulting.it/SquidNT.htm Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] Using A windows 2003 server to authenticate squid users
Hi All Need a pointer or two to track usage of bandwidth for specific people on my network ... The IP is sufficient but I would like to be able to use the usernames of my SMB windows server to track the usage more accurately and easily? Is this possible ...? Thanks Andrew Gargan Programmer/Web Designer - Open Source IT Solutions cell: +27 (073) 146 3490
[squid-users] clearing a squid cache
Dear All, Is there a very simple way to clear a cache of all it's content to start again, short on reinstalling? Kind Regards Keith 0870 41 40 345 <>
Re: [squid-users] clearing a squid cache
Keith I have the following script: #!/bin/sh # # script to shutdown squid, initialize new cache_dir # SQUID_CACHE=/var/squid/cache SQUID_DIR=/usr/local/squid /etc/init.d/squid stop mv $SQUID_CACHE /var/squid/old_cache mkdir $SQUID_CACHE chown squid $SQUID_CACHE $SQUID_DIR/sbin/squid -z /etc/init.d/squid start Thanks. - Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: [EMAIL PROTECTED] Voice: 919-660-5963 Fax: 919-684-6990 "Keith Fergie" <[EMAIL PROTECTED]> 09/08/2004 11:17 AM To <[EMAIL PROTECTED]> cc Subject [squid-users] clearing a squid cache Dear All, Is there a very simple way to clear a cache of all it's content to start again, short on reinstalling? Kind Regards Keith 0870 41 40 345 [attachment "winmail.dat" deleted by Jim Matthews/Libraries/Provost/Academic/Univ/Duke]
[squid-users] Questions about a new setup
I have just gotten a new SquidNT proxy up and running, and I would like to start by saying thank you to all the people that have both put in time writing Squid, and the people who worked on the port to Windows. I have a couple of questions that hopefully can be answered by some of the more seasoned users. First I would like to block some of the more common spyware/adware sites so our users don't accidently install any of that type of software. I have found several sites that have lists of websites, unfortunately these lists seem to be very broad in what gets listed. I was wondering if anyone knows of a list that only lists the spyware-type of sites, preferably one that is fairly regularly maintained. Second, my employers would like to be able to get per user statics on their web usage. I would like to implement a web-based solution for them to allow them easy access to the information whenever it is needed. I have looked at webalizer, and it does some of what I would like to do, however I have not found a way to generate the per user statistics. Of coarse, by statistics I'm not talking about just numbers. Among the things that would like to be reported, would be the top sites that each user visits. I have also looked at using SLUG, which as far as I can tell from looking at the documentation will do the per user statistics, however I was wondering if anyone has been able to get it working in a Windows-based setup. I personally do not have any problems using Linux, however I am worried about keeping the access.log files syncronized between a Linux server (to host the reporting) and the Windows Squid Proxy. If SLUG woud not work in my setup, could anyone recommend a program that does do per user statistics I would appreciate it. Tim Donahue
RE: [squid-users] Using A windows 2003 server to authenticate squid users
I have been able to get this to work. I am working on a how-to, but basically here is how it works. Squid authenticates to Win2003 using Samba and Winbindd. Squid enforces authentication on users connecting to the outside world, and records their activty by username in the access.log. I have a script, that is a modification of the Squid2Mysql script that is on SourceForge.net that will basically tail the access.log and throw it into a MySQL database. There is no way to get it in to MySQL directly as of now that I know of. Once it is in the database, it is trivial write some kind of front-end that will display this data. Would anyone be interested in seeing an how-to for this? I may need some help though, because I have only gotten this to work with Samba 2.x, and haven't had a chance to try verison 3. Thanks, Mark > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 08, 2004 8:08 AM > To: [EMAIL PROTECTED] > Subject: [squid-users] Using A windows 2003 server to > authenticate squid users > > > Hi All > > Need a pointer or two to track usage of bandwidth for > specific people on my network ... The IP is sufficient but I > would like to be able to use the usernames of my SMB windows > server to track the usage more accurately and easily? > > Is this possible ...? > > Thanks > > Andrew Gargan > Programmer/Web Designer - Open Source IT Solutions > cell: +27 (073) 146 3490 >
Re: [squid-users] clearing a squid cache
On Wed, Sep 08, 2004 at 11:43:50AM -0400, Jim Matthews wrote: > > I have the following script: > mv $SQUID_CACHE /var/squid/old_cache I can see two problems with that. If your cache is on it's own mounted partition, as is common on large proxy servers, moving the directory can cause things to break. Secondly, caches can be pretty big. By renaming the old cache, you might end up wasting space when the new cache starts to fill. Might want to modify the script to delete everything under the cache directory (rm -rf $SQUID_CACHE/*) and then recreate it using 'squid -z'. -- A. Sajjad Zaidi http://www.sajjadzaidi.com/ GnuPG Key ID: 0xD7AD0E13 "I'd rather be stupid than Rainer..."
Re: [squid-users] clearing a squid cache
On Wed, 2004-09-08 at 12:18, A. Sajjad Zaidi wrote: > On Wed, Sep 08, 2004 at 11:43:50AM -0400, Jim Matthews wrote: > > > > I have the following script: > > > > > mv $SQUID_CACHE /var/squid/old_cache > > I can see two problems with that. If your cache is on it's own mounted > partition, as is common on large proxy servers, moving the directory can > cause things to break. > > Secondly, caches can be pretty big. By renaming the old cache, you might > end up wasting space when the new cache starts to fill. > > Might want to modify the script to delete everything under the cache > directory (rm -rf $SQUID_CACHE/*) and then recreate it using 'squid -z'. I believe the point of moving the cache directory in the first place was to speed the process. My doing a 'rm -rf', someone please correct me if I'm wrong, you will need to wait for the operation to complete. A better option may be: #!/bin/sh # # script to shutdown squid, remove old and initialize new cache_dir # SQUID_CACHE=/var/squid/cache SQUID_DIR=/usr/local/squid /etc/init.d/squid stop mkdir $SQUID_CACHE/RemoveMe && mv $SQUID_CACHE/* $SQUID_CACHE/RemoveMe rm -rf $SQUID_CACHE/RemoveMe & $SQUID_DIR/sbin/squid -z /etc/init.d/squid start = Of coarse if you cache is mounted on its own partition, substituting newfs will probably be even faster than trying to remove the old cache directory. Tim Donahue
Re: [squid-users] clearing a squid cache
Thanks for the suggestions. In fact, a line was missing from the script. The last line of that script is "rm -rf /var/squid/old_cache" (below /etc/init.d/squid start). Yes, I decided to move it out of the way (the cache is not on it's own partition) as it's quicker that trying to remove it. Thanks. - Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: [EMAIL PROTECTED] Voice: 919-660-5963 Fax: 919-684-6990 Tim Donahue <[EMAIL PROTECTED]> 09/08/2004 12:29 PM To "A. Sajjad Zaidi" <[EMAIL PROTECTED]> cc Jim Matthews <[EMAIL PROTECTED]>, Squid-Users <[EMAIL PROTECTED]> Subject Re: [squid-users] clearing a squid cache On Wed, 2004-09-08 at 12:18, A. Sajjad Zaidi wrote: > On Wed, Sep 08, 2004 at 11:43:50AM -0400, Jim Matthews wrote: > > > > I have the following script: > > > > > mv $SQUID_CACHE /var/squid/old_cache > > I can see two problems with that. If your cache is on it's own mounted > partition, as is common on large proxy servers, moving the directory can > cause things to break. > > Secondly, caches can be pretty big. By renaming the old cache, you might > end up wasting space when the new cache starts to fill. > > Might want to modify the script to delete everything under the cache > directory (rm -rf $SQUID_CACHE/*) and then recreate it using 'squid -z'. I believe the point of moving the cache directory in the first place was to speed the process. My doing a 'rm -rf', someone please correct me if I'm wrong, you will need to wait for the operation to complete. A better option may be: #!/bin/sh # # script to shutdown squid, remove old and initialize new cache_dir # SQUID_CACHE=/var/squid/cache SQUID_DIR=/usr/local/squid /etc/init.d/squid stop mkdir $SQUID_CACHE/RemoveMe && mv $SQUID_CACHE/* $SQUID_CACHE/RemoveMe rm -rf $SQUID_CACHE/RemoveMe & $SQUID_DIR/sbin/squid -z /etc/init.d/squid start = Of coarse if you cache is mounted on its own partition, substituting newfs will probably be even faster than trying to remove the old cache directory. Tim Donahue
[squid-users] CISCO
Hi everybody I configured my router cisco with wccp but when I check my router I get this message sh ip wccp web-cache detail WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: NOT Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 0 (0.00%) Packets Redirected: 0 Connect Time: 00:00:14 Does somebody have any idea? Thanks
Re: [squid-users] integrating squid/linux with windows 2003 domain controller and active directory
Hello N.N. The only thing here a little special is the group requirements but the rest is pretty straightforward: You need: krb-1.31 or newer samba-3 squid-2.5 stable After compiling each of these, you use the ntlm_auth that comes with samba and add the squid server to the AD. Then you configure squid to proxy_auth the users with the AD. Finally, you add filters to the squid.conf based on group membership. If you need more details, let me know but everything you are asking for, I believe is entirely do-able with Squid. I have 2 squid servers running for about 6 months and they have been pretty maintenance-free once I got them authenticating with the AD. -- Dave On Wed, 2004-09-08 at 03:20, narancs wrote: > Dear All, > > We have this situation: > > 1. internet proxy for a company is a suse 9.0 linux dist with squid-2.5.STABLE3-110 > 2. proxy authentication is required > 3. usernames/password should be taken from the company's windows' active directory > 4. there are three groups of users: three different acls are required: > - average joe user can only view some sites based on a list > - leaders can view anything, but only http and https > - sysadmins can ftp, too > 5. group membership should also be taken from windows > 6. pre-windows2000 protocols are not enabled because of security policy and > requirements, maybe this is the reason why msnt_auth doesn't seem to work. On a DC > that enables NT4's protocols, msnt_auth works. > 7. both ldap_auth authenticators I couldn't get working, although I have seen the > ldap tree scheme, maybe I was wrong understanding it. > > My question is: > - does anybody have experience and tips how to get this working? > - will ntlm_auth or msnt_auth work at all with w2k or newer when nt4's older ntlm > and lanman is disabled? > - can ldap_auth work with active directory? > - can we use group membership info somehow? > - is there any way to create a local (open)ldap replica based on the AD? > - should we use pam_auth and pam_ldap instead? or kerberos? > > I could't find good exaples on google yet, to help us get it right. > > If me and collegaues can't cope with it, we'll have to move back to MS ISA proxy, > which personally I don't really like. > > thank you very much for your help people! > with regards > N.N. > signature.asc Description: This is a digitally signed message part
[squid-users] WCCP AND SQUID HELP
Hi list: I'm trying to configure the a squid behind a CISCO ROUTER with WCCP. I have the next envriorment: Slackware 10.0 Squid 2.5-STABLE6 with --enable-wccp ip_wccp.o load as module. and only one interface to network. My configurations are: At squid.conf: wccp_router 10.13.16.1 (my router ip addres) wccp_version 4 wccp_outgoing_address 10.13.16.4 (my ip address) (this last line i have comment it and test also) And at my cisco i get the next log: WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: NOT Usable Redirection: GRE Packet Return: GRE Assignment:HASH Initial Hash Info: Assigned Hash Info: Hash Allotment:0 (0.00%) Packets Redirected:0 Connect Time: 00:00:10 also if i ask to my cisco about WCCP it returns me: sh ip wccp web-cache view WCCP Routers Informed of: -none- WCCP Cache Engines Visible: 10.13.16.4 WCCP Cache Engines NOT Visible: -none- ANY HELP ABOUT WHAT CAN I DO ? .Sep 8 13:29:44: WCCP-EVNT: Here_I_Am packet from 10.13.16.4 w/bad rcvd_id .Sep 8 13:29:44: WCCP-PKT: Sending I_See_You packet to 10.13.16.4 w/ rcvd_id 000C ... (this messages repeat) when i ask to my cisco for status i get the next info:
RE: [squid-users] Squidguard
I wonder if the problem is because "managers" is a reserved word? Try
src mgrs {
ip X.X.X.X
ip X.X.X.Y
ip X.X.X.Z
}
HTH
AB
-Original Message-
From: Jay Turner [mailto:[EMAIL PROTECTED]
Sent: September 5, 2004 8:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [squid-users] Squidguard
> > You can only have one IP declaration per source created..
> >
> > As taken from SquidGuard.org:
> >
> ---(SNIPPED)---
> >
> > HTH
> >
> > Regards
> > Jay
> >
> >
>
> Not so Jay.
>
> From: http://www.squidguard.org/config/
> ~~
> Breaking long lines
> Generally you may break a (long) line by repeating the leading
> keyword. Repeated lines of the same type within a class will bee
> joined when the rule trees are built. So:
>
> src foo {
> ip 1.2.3.4
> ip 2.3.4.5
> }
I stand corrected.
[squid-users] Website Acceleration
Is there anyway to have Squid parse an html document that has been requested and begin downloading any inline images under the assumption that they will be requested? I think it would help speed up slow or high traffic websites. Not? I work for an ISP and we get complaints that Ebay is slow at times. I just wandered if if something like that would help. Not even sure where the bottle neck is at though. Matt
Re: [squid-users] WCCP AND SQUID HELP
I don't know if it will help you, but when I had this same sort of error, it ended up being because the wccp_router address I was using wasn't the "closest" address to the box running squid - by that I mean that my cisco router had more than one interface, and I was trying to get squid to work with an address that wasn't on the local network as the squid box. It looks like you don't have that problem here, though. Just a thought, perhaps it'll help someone somewhere along the line. -Rick At 02:54 PM 9/8/2004, you wrote: Hi list: I'm trying to configure the a squid behind a CISCO ROUTER with WCCP. I have the next envriorment: Slackware 10.0 Squid 2.5-STABLE6 with --enable-wccp ip_wccp.o load as module. and only one interface to network. My configurations are: At squid.conf: wccp_router 10.13.16.1 (my router ip addres) wccp_version 4 wccp_outgoing_address 10.13.16.4 (my ip address) (this last line i have comment it and test also) And at my cisco i get the next log: WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: NOT Usable Redirection: GRE Packet Return: GRE Assignment:HASH Initial Hash Info: Assigned Hash Info: Hash Allotment:0 (0.00%) Packets Redirected:0 Connect Time: 00:00:10 also if i ask to my cisco about WCCP it returns me: sh ip wccp web-cache view WCCP Routers Informed of: -none- WCCP Cache Engines Visible: 10.13.16.4 WCCP Cache Engines NOT Visible: -none- ANY HELP ABOUT WHAT CAN I DO ? .Sep 8 13:29:44: WCCP-EVNT: Here_I_Am packet from 10.13.16.4 w/bad rcvd_id .Sep 8 13:29:44: WCCP-PKT: Sending I_See_You packet to 10.13.16.4 w/ rcvd_id 000C ... (this messages repeat) when i ask to my cisco for status i get the next info: -- Rick Coloccia Network Manager State University of NY College at Geneseo 119 South Hall 1 College Circle Geneseo, NY 14454 Voice: (585) 245-5577 Fax:(585) 245-5579
[squid-users] Re: Using A windows 2003 server to authenticate squid users
[EMAIL PROTECTED] wrote: > Need a pointer or two to track usage of bandwidth for specific people on > my network ... The IP is sufficient but I would like to be able to use the > usernames of my SMB windows server to track the usage more accurately and > easily? This can be done using either the LDAP or Winbind helpers. See the list archives and the Authentication FAQ for more information: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html Adam
[squid-users] Re: integrating squid/linux with windows 2003 domain controller and active directory
narancs wrote: > 1. internet proxy for a company is a suse 9.0 linux dist with > squid-2.5.STABLE3-110 > 2. proxy authentication is required > 3. usernames/password should be taken from the company's windows' active > directory Either LDAP or Winbind can do this. > 4. there are three groups of users: three different acls are required: > - average joe user can only view some sites based on a list > - leaders can view anything, but only http and https > - sysadmins can ftp, too > 5. group membership should also be taken from windows Both LDAP and Winbind have group helpers that can do this. > 6. pre-windows2000 protocols are not enabled because of security policy > and requirements, maybe this is the reason why msnt_auth doesn't seem to > work. On a DC that enables NT4's protocols, msnt_auth works. The Winbind helpers with Samba are preferred over msnt_auth, and should work with all versions of Windows. > 7. both ldap_auth authenticators I couldn't get working, although I have > seen the ldap tree scheme, maybe I was wrong understanding it. With AD you need to use a search filter. There is an AD example in the LDAP helper's man page that should get you started. You can also search the mailing list archives and look at the authentication FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html Adam
[squid-users] Integate squid and linux with Win 2003 AD in 10 steps
Hi,
I hope this post can be the be all and end all for those needing to use
true "STABLE" squid code suitable for production use. Because I see this
kind of question on lists so often so I would like to offer my
assistance.
The following is a known good and very heavily tested solution I have
had working for about 2 years that has never missed a beat with over 400
users. This solution will work in Win2000k AD, Win2003 AD in either non
native or native modes. (Also even NT4 too)
My instructions assume Red hat 7.3 and a reasonable bit of Linux/squid
knowledge. I apologize if this documentation is not perfect but for
those out there with more than a clue you should be able to follow this
guide and fill in any small blanks I may have missed. For the many the
most helpful bits might be are the extras you must add to both the
squid.conf and Samba.conf files to make it all come together.
Of course you will have to adjust these where appropriate for your
distro.
STEP ONE
Copy Samba 2.2.8a source tarball to /usr/src/redhat/SOURCES
STEP TWO
Compile the squid 2.5 Stable 3 Source with the following options the
squid.spec file. This will configure and build Squid to include the
winbind helpers from Samba into itself.
--exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
--localstatedir=/var --sysconfdir=/etc/squid \
--enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" --enable-ssl \
--with-openssl=/usr/kerberos \
--enable-delay-pools --enable-linux-netfilter \
--with-pthreads \
--with-samba-source=/usr/src/redhat/SOURCES \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind,LDAP,NCSA,PAM,SMB,SASL,MSNT" \
--enable-ntlm-auth-helpers="SMB,winbind" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
p,winbind_group" \
STEP THREE
Build SAMBA 2.2.8a from Source RPM using the following entries in spec
file. This will configure Samba in a fairly generic Red Hat way but will
also include the Winbind helpers and the LDAP hack required to allow
Samba to talk to 2000/2003 Native mode AD
--prefix=%{prefix} \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--with-codepagedir=/etc/codepages \
--with-fhs \
--with-quotas \
--with-msdfs \
--with-smbmount \
--with-pam \
--with-winbind \
--with-winbind-auth-challenge \
--with-winbind-ldap-hack \
--with-pam-winbind \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=%{prefix}/share/swat/using_samba \
--with-swatdir=%{prefix}/share/swat \
--with-libsmbclient
STEP FOUR
Install Both the Squid and Samba RPM binaries
STEP FIVE
Change the following lines in your /etc/nnswitch.conf file to:
passwd: files winbind
shadow: files
group: files winbind
STEP SIX
Configure at least the following lies in your Samba.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = YOUR-NETBIOS-DOMAIN-NAME
# server string is the equivalent of the NT Description field
server string = Linux Proxy Server
# separate domain and username with '+', like DOMAIN+username
winbind separator = \\
# use uids from 1 to 2 for domain users
winbind uid = 1-2
# use gids from 1 to 2 for domain groups
winbind gid = 1-2
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have
telnet/sshd/etc... access)
#template homedir = /home/winnt/%D/%U
template homedir = /home/winnt
template shell = /bin/bash
netbios name = PROXY
winbind use default domain = yes
security = domain
local master = no
os level = 20
domain master = no
preferred master = no
wins server = your.wins.ser.ver
Configure Squid with at least the following extras in Squid.conf. You
may need to slightly modif where required.
acl Authorized_Users external wb_group WebUsers
acl No_Auth_Required_IPs src 172.1.1.1-172.1.1.255/255.255.255.255
auth_param basic children 5
auth_param basic credentialsttl 2 hour
auth_param basic program /usr/lib/squid/wb_auth
auth_param basic realm Web Cache
auth_param ntlm children 5
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm max_challenge_reuses 0
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
external_acl_type wb_grou
RE: [squid-users] Integate squid and linux with Win 2003 AD in 10 steps
As a follow up, I may have missed one fine detail, so here is a
correction.
To make all this work you will also need to configure PAM to work with
Winbind for Authentication. Sorry for missing this step. Do'h!
You will need to add the following to your /etc/pam.d/login file. Mine
looks exactly like this:
#%PAM-1.0
#
#Winbind config
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
accountsufficient /lib/security/pam_winbind.so
accountrequired /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so
I'm pretty sure that's it this time. :-)
-Original Message-
From: newsgroupie [mailto:[EMAIL PROTECTED]
Sent: Thursday, 9 September 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: [squid-users] Integate squid and linux with Win 2003 AD in 10
steps
Hi,
I hope this post can be the be all and end all for those needing to use
true "STABLE" squid code suitable for production use. Because I see this
kind of question on lists so often so I would like to offer my
assistance.
The following is a known good and very heavily tested solution I have
had working for about 2 years that has never missed a beat with over 400
users. This solution will work in Win2000k AD, Win2003 AD in either non
native or native modes. (Also even NT4 too)
My instructions assume Red hat 7.3 and a reasonable bit of Linux/squid
knowledge. I apologize if this documentation is not perfect but for
those out there with more than a clue you should be able to follow this
guide and fill in any small blanks I may have missed. For the many the
most helpful bits might be are the extras you must add to both the
squid.conf and Samba.conf files to make it all come together.
Of course you will have to adjust these where appropriate for your
distro.
STEP ONE
Copy Samba 2.2.8a source tarball to /usr/src/redhat/SOURCES
STEP TWO
Compile the squid 2.5 Stable 3 Source with the following options the
squid.spec file. This will configure and build Squid to include the
winbind helpers from Samba into itself.
--exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
--localstatedir=/var --sysconfdir=/etc/squid \
--enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" --enable-ssl \
--with-openssl=/usr/kerberos \
--enable-delay-pools --enable-linux-netfilter \
--with-pthreads \
--with-samba-source=/usr/src/redhat/SOURCES \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind,LDAP,NCSA,PAM,SMB,SASL,MSNT" \
--enable-ntlm-auth-helpers="SMB,winbind" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
p,winbind_group" \
STEP THREE
Build SAMBA 2.2.8a from Source RPM using the following entries in spec
file. This will configure Samba in a fairly generic Red Hat way but will
also include the Winbind helpers and the LDAP hack required to allow
Samba to talk to 2000/2003 Native mode AD
--prefix=%{prefix} \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--with-codepagedir=/etc/codepages \
--with-fhs \
--with-quotas \
--with-msdfs \
--with-smbmount \
--with-pam \
--with-winbind \
--with-winbind-auth-challenge \
--with-winbind-ldap-hack \
--with-pam-winbind \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=%{prefix}/share/swat/using_samba \
--with-swatdir=%{prefix}/share/swat \
--with-libsmbclient
STEP FOUR
Install Both the Squid and Samba RPM binaries
STEP FIVE
Change the following lines in your /etc/nnswitch.conf file to:
passwd: files winbind
shadow: files
group: files winbind
STEP SIX
Configure at least the following lies in your Samba.conf
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = YOUR-NETBIOS-DOMAIN-NAME
# server string is the equivalent of the NT Description field
server string = Linux Proxy Server
# separate domain and username with '+', like DOMAIN+username
winbind separator = \\
# use uids from 1 to 2 for domain users
winbind uid = 1-2
# use gids from 1 to 2 for domain groups
winbind gid = 1-2
# allow enumeration of winbind users and groups
# might need to disable these next two for performance
# reasons on the winbindd host
winbind enum users = yes
Re: [squid-users] Proxy Autodetect scripts
[EMAIL PROTECTED] wrote:
I'm having some issues with the black art of proxy autodetect scripts
(wpad.dat). I'm having a tough time getting it to work consistantly. I am
doing a phased roll-out of a squid proxy server, and want to the the
autodetect return "proxy:3128" for some ip addresses, and "DIRECT" for
others.
The script works for some hosts, but not for others. It works in the first
couple of class C subnets mentioned, but it breaks down where the specific
hosts are set to DIRECT (with the mask of 255.255.255.255), or anywhere
below that in the script such as where 10.7.0.0/255.255.254.0 is supposed
to be proxied.
Anyone have any suggesions?
code below:
wpad.dat ##
if (isInNet(myIpAddress(), "10.7.39.0", "255.255.255.0")) {
return "PROXY proxy:3128";
}
else if (isInNet(myIpAddress(), "10.7.22.0", "255.255.255.0")) {
return "PROXY proxy:3128";
}
else if (isInNet(myIpAddress(), "10.7.33.0", "255.255.255.0")) {
return "PROXY proxy:3128";
}
else if (isInNet(myIpAddress(), "10.7.34.0", "255.255.255.0")) {
return "PROXY proxy:3128";
}
else if (isInNet(myIpAddress(), "10.7.35.0", "255.255.255.0")) {
return "PROXY proxy:3128";
}
else if (isInNet(myIpAddress(), "10.7.1.216", "255.255.255.255")) {
return "DIRECT";
}
else if (isInNet(myIpAddress(), "10.7.1.217", "255.255.255.255")) {
return "DIRECT";
}
else if (isInNet(myIpAddress(), "10.7.1.219", "255.255.255.255")) {
return "DIRECT";
}
else if (isInNet(myIpAddress(), "10.7.0.0", "255.255.254.0")) {
return "PROXY proxy:3128";
}
else {
return "DIRECT";
}
}
### end wpad.dat
Alex Laslavic
Havertys Tech Services
It looks like it should work. Is it possible that the isInNet doesn't
work well with at "255.255.255.255" mask. You could try
if (myIpAdress() == "10.7.1.216") instead. I've never used it with host
masks, just subnets.
Also define "breaks down". Do those three host go through the proxy but
the 10.7.0.0 ppl go out direct or do you get some sort of error?
Finally I've had issues where myIpAddress() returns the first IP listed
by ipconfig on Windows 2k laptops that were VPN instead of the PPTP IP.
Never did find a workaround.
Billy
