Re: [squid-users] NTLM Auth for workstation not users
Thank you Rolf. I did the same thing. Reverse lookup for the hostname.
This setup needs a working samba package (already working if using NTLM Auth)
You appear not to understand the real concepts behind authentication and
authorization
Amos, I think you didn't get what I mean, because i managed to make it work
I attached the perl script. Actually it's very fast. I also included a
timeout alarm of 1 sec for nmblookup.
My relevant squid.conf part:
-
external_acl_type host_ad_group children=3 ttl=60 %SRC
/usr/lib/squid/hostname.pl
acl internet_users external ad_group o-ro-cod-internet
acl internet_hosts external host_ad_group o-ro-cod-internet
http_access deny !authenticated all
http_access deny !internet_users !internet_hosts all
http_access allow authenticated
-
This way, i only allow authenticated users, but to access the internet
they need either to be member of the internet group, or their
workstation to be included in the internet group. This was needed
because we have a computer / office dedicated for internet access, and
everybody can use it.
Hope it helps somebody, and maybe it will be included in future relases.
On Fri, Dec 5, 2008 at 3:56 AM, Rolf Loudon [EMAIL PROTECTED] wrote:
Hello
We do authentication by user and by workstation. Our business rules dictate
a scenario like yours, where certain users gets access excepting certain
workstations where any user is able to gain access, and several variations.
In Active Directory we have user groups and workstation groups. We keep them
in separate groups as mixing types of objects in the one group is apparently
not recommended.
For user auth its the usual helper setup querying AD via an LDAP look up
supplying user/pass and group membership.
For workstation auth we wrote a simple short shell script that takes %SRC as
an input and then uses dig to work out the name via a reverse lookup (the
script actually does a bit more checking in case multiple answers are
returned and having to determine - by a forward lookup - which name is the
correct one for the address supplied).
The output of that script produces a computer name which we use as the input
to squid_ldap_group along with the name of the relevant workstation group.
The output of that helper query then tells us whether the computer is in a
certain group and thus we can accept/deny or combine with other values such
as a user's membership of some other group and so on.
Works fine with the notable requirement that dns lookups must be current and
in-addr.arpa zones are setup and consistent.
regards
r.
Razvan Grigore wrote:
What you are looking for is winbind helper. It runs as an external ACL.
Any other approach will also need to run an external ACL, so the answer
to
your seconds question is yes and the example is winbind.
The winbind helper is declared like this:
external_acl_type ad_group children=3 ttl=120 %LOGIN
/usr/lib/squid/wbinfo_group.pl
I pass to it only the username. What I want is allow ANY username
(even if it's not member of Internet AD group) who is logged on a
computer member of this Internet group. I guess i have to pass the
%SRC variable to a external helper and user nmblookup to get the
computer name and then i'm stuck.
Any ideas?
Razvan
You appear not to understand the real concepts behind authentication and
authorization
You can authenticate a username/password pair, regardless of location.
(standard login)
THEN you can use the username/password to retrieve and verify a particular
group for the username/password (winbind group external ACL).
THEN you can also verify a location with one of the username/password or
username/password/group tuplets.
You cannot use AD _user_ groups to assign a group membership to a
_location_ while ignoring username.
For the setup you are now describing the secure way to do it is to ignore
username completely and use the location (source IP) in an ACL. As has been
mentioned several times already.
You can _additional_ to that, to force users to login correctly (anyone
with valid username/password pair) before the external ACL gets run. But
even then the external ACL MUST ignore the login details it gets.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
#!/usr/bin/perl
#
# external_acl helper for Squid to verify NT Domain group
# membership of a computername using his IP address
#
# Author:
# Razvan Grigore [EMAIL PROTECTED]
#
# Version history:
# 2008-12-05 Razvan Grigore [EMAIL PROTECTED]
# Initial release
# Disable output buffering
$|=1;
#
# Find out IP's hostname
#
sub getname {
local($ip) = @_;
$SIG{ALRM} = sub { die(); };
eval {
$hostname = ;
alarm 1;
$hostname = `/usr/bin/nmblookup
Re: [squid-users] NTLM Auth for workstation not users
Razvan Grigore wrote: As I already told you I don't want to make list with IPs, i want to allow computers based on AD group, for one-place-administration. I can try an external acl with nslookup or nmblookup. Do you have other sugestion? What you are looking for is winbind helper. It runs as an external ACL. Any other approach will also need to run an external ACL, so the answer to your seconds question is yes and the example is winbind. On Wed, Dec 3, 2008 at 11:50 PM, Tom Porch [EMAIL PROTECTED] wrote: Or reservations in DHCP rather than setting on each workstation From: Kinkie [EMAIL PROTECTED] Sent: 03 December 2008 21:34 To: Razvan Grigore Cc: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Auth for workstation not users On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore [EMAIL PROTECTED] wrote: Hello, I successfully implemented a working solution with squid 3.0STABLE10, NTLM Auth samba. I have an AD group with users that are allowed to access the internet. What is demanded now by my company is to add to that internet group some computer accounts, that will have access to the proxy no matter what user is logged on them. Now, from AD point of view, it's easy to add the computer name to that group. The problem is with squid acl's. Can you please give me an example as how I should get it working? Or external acl is the answer here? If yes, can you also give me an example? Give those computers static IP address and list those IP address in an allowed ACL. -- /kinkie Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] NTLM Auth for workstation not users
What you are looking for is winbind helper. It runs as an external ACL. Any other approach will also need to run an external ACL, so the answer to your seconds question is yes and the example is winbind. The winbind helper is declared like this: external_acl_type ad_group children=3 ttl=120 %LOGIN /usr/lib/squid/wbinfo_group.pl I pass to it only the username. What I want is allow ANY username (even if it's not member of Internet AD group) who is logged on a computer member of this Internet group. I guess i have to pass the %SRC variable to a external helper and user nmblookup to get the computer name and then i'm stuck. Any ideas? Razvan
Re: [squid-users] NTLM Auth for workstation not users
Razvan Grigore wrote: What you are looking for is winbind helper. It runs as an external ACL. Any other approach will also need to run an external ACL, so the answer to your seconds question is yes and the example is winbind. The winbind helper is declared like this: external_acl_type ad_group children=3 ttl=120 %LOGIN /usr/lib/squid/wbinfo_group.pl I pass to it only the username. What I want is allow ANY username (even if it's not member of Internet AD group) who is logged on a computer member of this Internet group. I guess i have to pass the %SRC variable to a external helper and user nmblookup to get the computer name and then i'm stuck. Any ideas? Razvan You appear not to understand the real concepts behind authentication and authorization You can authenticate a username/password pair, regardless of location. (standard login) THEN you can use the username/password to retrieve and verify a particular group for the username/password (winbind group external ACL). THEN you can also verify a location with one of the username/password or username/password/group tuplets. You cannot use AD _user_ groups to assign a group membership to a _location_ while ignoring username. For the setup you are now describing the secure way to do it is to ignore username completely and use the location (source IP) in an ACL. As has been mentioned several times already. You can _additional_ to that, to force users to login correctly (anyone with valid username/password pair) before the external ACL gets run. But even then the external ACL MUST ignore the login details it gets. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
Re: [squid-users] NTLM Auth for workstation not users
Hello We do authentication by user and by workstation. Our business rules dictate a scenario like yours, where certain users gets access excepting certain workstations where any user is able to gain access, and several variations. In Active Directory we have user groups and workstation groups. We keep them in separate groups as mixing types of objects in the one group is apparently not recommended. For user auth its the usual helper setup querying AD via an LDAP look up supplying user/pass and group membership. For workstation auth we wrote a simple short shell script that takes %SRC as an input and then uses dig to work out the name via a reverse lookup (the script actually does a bit more checking in case multiple answers are returned and having to determine - by a forward lookup - which name is the correct one for the address supplied). The output of that script produces a computer name which we use as the input to squid_ldap_group along with the name of the relevant workstation group. The output of that helper query then tells us whether the computer is in a certain group and thus we can accept/deny or combine with other values such as a user's membership of some other group and so on. Works fine with the notable requirement that dns lookups must be current and in-addr.arpa zones are setup and consistent. regards r. Razvan Grigore wrote: What you are looking for is winbind helper. It runs as an external ACL. Any other approach will also need to run an external ACL, so the answer to your seconds question is yes and the example is winbind. The winbind helper is declared like this: external_acl_type ad_group children=3 ttl=120 %LOGIN /usr/lib/squid/wbinfo_group.pl I pass to it only the username. What I want is allow ANY username (even if it's not member of Internet AD group) who is logged on a computer member of this Internet group. I guess i have to pass the %SRC variable to a external helper and user nmblookup to get the computer name and then i'm stuck. Any ideas? Razvan You appear not to understand the real concepts behind authentication and authorization You can authenticate a username/password pair, regardless of location. (standard login) THEN you can use the username/password to retrieve and verify a particular group for the username/password (winbind group external ACL). THEN you can also verify a location with one of the username/ password or username/password/group tuplets. You cannot use AD _user_ groups to assign a group membership to a _location_ while ignoring username. For the setup you are now describing the secure way to do it is to ignore username completely and use the location (source IP) in an ACL. As has been mentioned several times already. You can _additional_ to that, to force users to login correctly (anyone with valid username/password pair) before the external ACL gets run. But even then the external ACL MUST ignore the login details it gets. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1 This message may contain confidential information which is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard copy version.
[squid-users] NTLM Auth for workstation not users
Hello, I successfully implemented a working solution with squid 3.0STABLE10, NTLM Auth samba. I have an AD group with users that are allowed to access the internet. What is demanded now by my company is to add to that internet group some computer accounts, that will have access to the proxy no matter what user is logged on them. Now, from AD point of view, it's easy to add the computer name to that group. The problem is with squid acl's. Can you please give me an example as how I should get it working? Or external acl is the answer here? If yes, can you also give me an example? Thank you! Razvan
Re: [squid-users] NTLM Auth for workstation not users
On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore [EMAIL PROTECTED] wrote: Hello, I successfully implemented a working solution with squid 3.0STABLE10, NTLM Auth samba. I have an AD group with users that are allowed to access the internet. What is demanded now by my company is to add to that internet group some computer accounts, that will have access to the proxy no matter what user is logged on them. Now, from AD point of view, it's easy to add the computer name to that group. The problem is with squid acl's. Can you please give me an example as how I should get it working? Or external acl is the answer here? If yes, can you also give me an example? Give those computers static IP address and list those IP address in an allowed ACL. -- /kinkie
RE: [squid-users] NTLM Auth for workstation not users
Or reservations in DHCP rather than setting on each workstation From: Kinkie [EMAIL PROTECTED] Sent: 03 December 2008 21:34 To: Razvan Grigore Cc: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Auth for workstation not users On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore [EMAIL PROTECTED] wrote: Hello, I successfully implemented a working solution with squid 3.0STABLE10, NTLM Auth samba. I have an AD group with users that are allowed to access the internet. What is demanded now by my company is to add to that internet group some computer accounts, that will have access to the proxy no matter what user is logged on them. Now, from AD point of view, it's easy to add the computer name to that group. The problem is with squid acl's. Can you please give me an example as how I should get it working? Or external acl is the answer here? If yes, can you also give me an example? Give those computers static IP address and list those IP address in an allowed ACL. -- /kinkie
Re: [squid-users] NTLM Auth for workstation not users
As I already told you I don't want to make list with IPs, i want to allow computers based on AD group, for one-place-administration. I can try an external acl with nslookup or nmblookup. Do you have other sugestion? On Wed, Dec 3, 2008 at 11:50 PM, Tom Porch [EMAIL PROTECTED] wrote: Or reservations in DHCP rather than setting on each workstation From: Kinkie [EMAIL PROTECTED] Sent: 03 December 2008 21:34 To: Razvan Grigore Cc: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Auth for workstation not users On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore [EMAIL PROTECTED] wrote: Hello, I successfully implemented a working solution with squid 3.0STABLE10, NTLM Auth samba. I have an AD group with users that are allowed to access the internet. What is demanded now by my company is to add to that internet group some computer accounts, that will have access to the proxy no matter what user is logged on them. Now, from AD point of view, it's easy to add the computer name to that group. The problem is with squid acl's. Can you please give me an example as how I should get it working? Or external acl is the answer here? If yes, can you also give me an example? Give those computers static IP address and list those IP address in an allowed ACL. -- /kinkie
