[squid-users] How to inform users?
We are using the squid proxy server in our intranet, people can use it to access the internet (that's what its for:-)) Authenticated with NTLM. Here is my question: I want somehow to point my users every time (or once a day) that they access to internet to a company policy. (or disclaimer, tell them that some info me be logged etc etc) What would be the easyest concept to do that? Can I redirect everything once per session? (I hope you understand my question)
Re: [squid-users] ntlm_auth does not work
If you look at Samba bugzilla #571 you will see that this is a known bug... I had to use samba 2.2.x - Original Message - From: "GZM" <[EMAIL PROTECTED]> To: "Squid Users Mailing List (E-mail)" <[EMAIL PROTECTED]> Sent: Friday, November 14, 2003 6:52 AM Subject: RE: [squid-users] ntlm_auth does not work > Hello Adam, > > you wrote: > > >>I am using ntlm_auth from samba-3.0.0 with squid 2.5.STABLE3. > >>And neither Win2k clients can authenticate, nor win98 ones. > > >Then you likely have a problem with your Samba install. Did you run > >the wbinfo tests as specified in the Squid FAQ? If so, what was the > >output? If not, run them and post the output. > > Squid FAQ says: > "As Samba-3.x has it's own authentication helper there is no need to > build any of the Squid authentication helpers for use with Samba-3.x. > ... > Note: For Samba-3.X the Samba ntlm_auth helper is used instead > of the wb_ntlmauth and wb_auth helpers above." > > Following these instructions i see interesting thing: > > #./ntlm_auth --username xxx --password xxx > NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc05e) > # ./ntlm_auth --username xxx --password xxx > NT_STATUS_OK: Success (0x0) > # > > -- > Best regards, > GZMmailto:[EMAIL PROTECTED] > >
Re: [squid-users] ntlm authentication with older cliënts? (w95/w98)
Because Squid 2.5 uses an internal Samba interface to communicate with the winbindd daemon, it is difficult for me to ask the right question, How do I debug this? The cliënts logon to the PDC perfectly without running the directory service. This means the are using LM hashes... The only differebce is I am running Samba 3... Perhaps a downgrade must do it... > >>> Then I tested it with 95/98 cliënts: No go! > > >> What operating system is your domain controller? > > > It is an NT4 PDC > > We have Squid 2.5STABLE4 with Samba 2.2.8a, and our 9x clients can use > NTLM auth successfully with a Windows 2000 AD backend. > > Make sure the client PCs are logged into the domain and that the > domain supports the LM hashes used by 9x. Beyond that, it's probably a > Samba issue. > > As this isn't a Squid problem, the Samba list is the best place to ask > any further questions.
Re: [squid-users] ntlm authentication with older cliënts? (w95/w98)
> On Wednesday 05 November 2003 05:10 pm, Henk-Jan \(squid\) wrote: > > I have succesfully setup ntlm group auyhentication (squid 2.5 and Samba > > 3), and tested it with Windows 2000 cliënts. > > > Then I tested it with 95/98 cliënts: No go! I need to athenticate manually! > > What operating system is your domain controller? If it is Windows 2000, make > sure the domain is in mixed mode and allows LM hashes. > It is an NT4 PDC
[squid-users] ntlm authentication with older cliënts? (w95/w98)
As I am nit really a Windows expert I have a question: I have succesfully setup ntlm group auyhentication (squid 2.5 and Samba 3), and tested it with Windows 2000 cliënts. Works like a charm... Then I tested it with 95/98 cliënts: No go! I need to athenticate manually! What am I doing wrong? Must I look at squid or Samba? Could someone reveal the trick?
Re: [squid-users] Samba3 ntlm_auth Helper and Trusted Domains
Would this be the same for Squid 3 enviroment??? Or does one ONLY use winbind? > > Hi Everyone, > > Here's just a few notes and a quick "how to" for enterprises looking towards > migrating a (sizeable) Microsoft proxy and ISA infrastructure to Squid. Our > requirements were to produce a Linux, Squid and Samba solution that > provided; > > 1. Transparent authentication of IE clients > 2. ACL's based on membership of domain NT group > 3. Support for traversing trusted domains (e.g. a resource domain model) > > We have managed to achieve this in a test environment where; > > -> The squid proxy is a member server in the Resource domain > -> Our test users reside in domains trusted by the Resource domain > -> Resource domain contains a domain local group RESOURCE\ProxyFullAccess > -> Group RESOURCE\ProxyFullAccess contains user accounts from the trusted > domains > -> The Samba3 supplied ntlm_auth helper is used by "auth_param ntlm ..." > -> The Squid supplied wbinfo_group.pl is used by "external_acl_type ... " > -> Squid proxy has an ACL to allow http_access for RESOURCE\ProxyFullAccess > > We have used Samba 3.0.0rc2 and Squid-2.5-STABLE3 in our test environment. > Andrew Tridgell of the Samba team provided us with a patch to make Samba > domain local group aware WITHOUT having to be a DC for that domain. This > patch can be found at > http://samba.org/ftp/tridge/misc/samba3_local_groups.patch > > A quick "How To" for your own transparently authenticated, trusted-domain > aware Squid proxy; > > 1. Download Samba-3.0.0rc2 and download the samba3_local_groups patch from > the URL above > 2. Patch the Samba source and then ./configure --with-winbind > --with-winbind-auth-challenge, make and make install > 3. Using the 'net join' command, join your resource domain, configure > smb.conf as appropriate > 4. Start the nmbd daemon. Start the winbindd daemon (test using wbinfo - you > can also start winbindd with a "-i" for interactive mode) > 5. Download Squid-2.5.STABLE3 and then ./configure --enable-auth=basic,ntlm > --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB > --enable-ntlm-auth-helpers=SMB,fakeauth --enable-ntlm-fail-open > --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group > then make and make install > 6. Relevant squid.conf bits > > auth_param ntlm program /opt/squid/lib/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp -d 3 > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > > external_acl_type ntgroup_helper %LOGIN /opt/squid/lib/wbinfo_group.pl > acl proxyfullaccess external ntgroup_helper RESOURCE\ProxyFullAccess > > http_access allow proxyfullaccess > http_access deny all > > 7. Find the location of the winbindd_privileged pipe and chgrp squid (or > your cache_effective_group from squid.conf) > 8. Kill any running samba daemons and start them (always) in this order - > nmbd, winbindd and then squid > > And that's it! I hope this post helps someone else with a similar goal. > > (Many thanks to Tridge from the Samba team!) > > > > Andrew Wilshire > IBM / Air New Zealand > [EMAIL PROTECTED] > > > CAUTION - This message may contain privileged and confidential > information intended only for the use of the addressee named above. > If you are not the intended recipient of this message you are hereby > notified that any use, dissemination, distribution or reproduction > of this message is prohibited. If you have received this message in > error please notify Air New Zealand immediately. Any views expressed > in this message are those of the individual sender and may not > necessarily reflect the views of Air New Zealand. > _ > For more information on the Air New Zealand Group, visit us online > at http://www.airnewzealand.com > _
Re: [squid-users] ldap or SMB for groups authentication?
Sounds good! I tried the FAq and the documentation, but where can I find the details on this? (Sorry) - Original Message - From: "Eduardo Elgueta" <[EMAIL PROTECTED]> To: "Henk-Jan (squid)" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, October 17, 2003 12:27 AM Subject: Re: [squid-users] ldap or SMB for groups authentication? > wb_group, user names are always logged. > > ed. > > Henk-Jan (squid) wrote: > > >I want the following: > > > > > >My users are all memeber of an nt enviroment. > >Some users are allowed unlimited internet access. > >First I want to make those users member of an NT group. > > > >It would be nice though to be able to somehow log the user names somehow in > >the log files. > > > >Should I use LDAP or SMB authentication? > >Oneone set this up in the past? > > > > > > > > -- > Eduardo Elgueta > Senior Consultant > Navix > > Phone : +56 (2) 315-7608 > Mobile : +56 (9) 821-0033 > Web: www.navix.cl > > >
[squid-users] ldap or SMB for groups authentication?
I want the following: My users are all memeber of an nt enviroment. Some users are allowed unlimited internet access. First I want to make those users member of an NT group. It would be nice though to be able to somehow log the user names somehow in the log files. Should I use LDAP or SMB authentication? Oneone set this up in the past?
Re: [squid-users] Configuration for 1,5 Mbps link
This depends on the number of users that are going to use the box... - Original Message - From: "Awie" <[EMAIL PROTECTED]> To: "Squid-users" <[EMAIL PROTECTED]> Sent: Friday, September 26, 2003 5:00 PM Subject: [squid-users] Configuration for 1,5 Mbps link > All, > > I have 1,5 Mbps link and need advise about configuration for Linux and > Squid. My box has 512 MB of RAM and 40 GB of ATA100 HDD > > Can I use the default config of Linux and Squid? What component should I > tune up? > > Please advise. Your answer is very appreciated. > > Thx & Rgds, > > Awie >
[squid-users] load balancing rproxy?
I am a very happy user of the rproxy function of squid for about 2 years now. I was wondering: What if I place the rproxy somewhere at a central co-location, I have about 3 internet connections in the firm (with different ISP's) If I make my host available using all these lines, can I make squid to do the load balancing over these lines? Of make it somehowe now that if one line (ip address) fails it has to use the other?
Re: [squid-users] bypassing the proxy for local atomic hostnames
You could simply add those hosts to your /etc/hosts file. - Original Message - From: "Rolf" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 03, 2003 9:06 AM Subject: [squid-users] bypassing the proxy for local atomic hostnames > hello > > I'm having trouble with configuring squid (2.5stable1) to handle internal, > 'intranet' addresses which are not fully qualified. > > Squid currently is setup to do proxy_auth with active directory group > membership as an additional requirement. This is all working fine. > > When I start the browser it is configured to go to an address of the form > http://info/ or http://intranet/dev or similar. > > Initially it failed with a dns unresolvable error generated bby the > upstream (ISP) proxy. Not at all surprising as that cache has no knowledge > of our internal dns, where 'info' as a hostname is resolvable. > > So I tried adjusting the cache config to not let such urls go upstream. In > fact I'd just like them to go direct. But this didn't work: > > acl info url_regex ^http://info/.* > always_direct allow info > > I then tried cache_peer_domain with a !info parameter but then I got an > error saying 'unable to forward request at this time', so I don't think > that's it. > > What do I have to set such that unqualified hostnames (and urls that are > qualified with our own domain) in urls are sent straight from the proxy to > the host specified (a webserver on the same LAN as the proxy)? > > Is is related that when the browser starts it asks for authentication (a la > proxy_auth as above) and once done, ignores the always_direct directive? > > Many thanks > > rolf.
[squid-users] A bit off topic: Tool to do remote manament through proxy?
I have heard (but not seen) that someone in my organisayion got remote support from an external company, by installing some tool on his PC. The only possibillity for users to access the internet is by using the squid proxy server. Question: Does anyone know if it is possible? Does anybody know this tool? (The user connects to a remote site and ready) If yes: How can I prevent this? Greettings from a sunny Holland.
[squid-users] Spyware block (Not Squidguard)?
Does anybody know if there is a blacklist that can be easily read/implemented that would bloack spyware in our proxyserver? Is there such an initiatif going on? Or am I stuck to squidguard? (Or is there another proxy server that could do this?) Henk-Jan
[squid-users] Rproxy error?
I use squid as a rproxy server,. I now get a lot of errors in cache.log Can someone explain how to prevent them: 2003/02/14 05:10:56| WARNING: Forwarding loop detected for: GET /images/website/home/beeld_kantoorartikelen.jpg HTTP/1.0 If-Modified-Since: Wed, 16 Oct 2002 13:57:00 GMT User-Agent: iPlanet-Web-Proxy-Server/3.6 (Batch update) Accept: */* Pragma: no-cache Forwarded: by http://nlprx01.:8080 (iPlanet-Web-Proxy-Server/3.6) Via: 1.0 www.ahrend.com:80 (Squid/2.4.STABLE7) X-Forwarded-For: 195.75.83.239 Host: 194.134.69.88 Cache-Control: max-age=259200 Connection: keep-alive
