Re: [squid-users] Winbind and Windows groups
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 third paragraph under supported samba releases. 'Squid-2.5.STABLE2 will support Samba-2.2.6 to Samba-2.2.7a and hopefully later Samba versions. To use Squid-2.5.STABLE2 with Samba versions 2.2.5 or ealier the new --with-samba-sources=... configure option is required. This may also be the case with Samba-2.2.X versions later than 2.2.7a or if you have applied any winbind related patches to your Samba tree.' Regards Henrik On Wednesday 19 February 2003 00.10, Simon Bryan wrote: OK, I know about the Changelog, but where is the info on STABLE2, I only see refernces to STABLE1 on the Squid site. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] Sent: Tue, 18. February 2003 7:26 PM To: [EMAIL PROTECTED] Cc: Squid-Users Subject: Re: [squid-users] Winbind and Windows groups For the current snapshots you need to see the information regarding Squid-2.5.STABLE2. What is said about Squid-2.5.STABLE1 does not apply to the current snapshots as the solution for 2.5.STABLE2 is already in place there. When you use a snapshot it is recommended to look into on the Known Bugs page and the ChangeLog to get a view of what have changed since the last STABLE release. The wb_group directory should read winbind_group. Fixing. Regards Henrik On Tuesday 18 February 2003 01.12, Simon Bryan wrote: The following is in the SQUID FAQ so I thought I would try it anyway (I currently have Samba 2.2.5), however in the Squid directories there is no winbindd_nss.h file and in the 'helper/external_acl' directory there is no wb_group directory In the snapshot from 20030123, the winbindd_nss file exists in the first two directories but the wb_group directory is also not there. Have there been changes in this area and if so woudl they be effecting my problem? Have re-built with the 20030123 snapshot but there is no change. Squid-2.5.STABLE1 works with Samba 2.2.4 or 2.2.5. Samba With Samba 2.2.6, the winbindd interface changed and Squid 2.5.STABLE1 will not work as distributed. Replacing the winbindd_nss.h file in Squid's helpers/basic_auth/winbind, helpers/ntlm_auth/winbind and helpers/external_acl/wb_group/ directories with the version in Samba's source/nsswitch drectory is needed for the helpers to work properly. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] Sent: Tue, 18. February 2003 9:07 AM To: [EMAIL PROTECTED] Subject: Re: [squid-users] Winbind and Windows groups Looks fine from what I can tell, and should work.. But your http_access rules is a bit complex I think, but no immediately obvious errors except for the allow CONNECT ... thing which may override later filters if using https://.. Regards Henrik On Monday 17 February 2003 22.19, you wrote: yes, I have the following: auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 20 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minute auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11 auth_param basic children 5 auth_param basic realm Poxy server at OLMC auth_param basic credentialsttl 1 hour and from below: authenticate_ttl 1 hour acl password proxy_auth REQUIRED http_access deny all !password and the logs show the username as domain\username I take it that this should work then? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] Sent: Tue, 18. February 2003 2:06 AM To: [EMAIL PROTECTED] Cc: Squid-Users Subject: Re: [squid-users] Winbind and Windows groups Have you also configured authentication? (auth_param ...) The group helpers are only responsible for verifying group membership, and relies on the authentication helper(s) to first verify the username and password. Regards Henrik mån 2003-02-17 klockan 06.11 skrev Simon Bryan: Hi all, I have sorted out most of my winbind problems at least at Samba - command line level. However I still cannot get Squid to recognise the groups. The relevant kines from my Squid.conf file are below. Note that wbinfo -u returns the users, wbinfo -g returns the groups from the domain, if I feed a correct domain+username groupname to wb_group it returns 'OK' or 'ERR' as the case may be. Is there anything wrong in my conf file that is obvious, or can I not do this yet? Using SQUID snapshot from 13th Feb 03
RE: [squid-users] Winbind and Windows groups
yes, I have the following: auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 20 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minute auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11 auth_param basic children 5 auth_param basic realm Poxy server at OLMC auth_param basic credentialsttl 1 hour and from below: authenticate_ttl 1 hour acl password proxy_auth REQUIRED http_access deny all !password and the logs show the username as domain\username I take it that this should work then? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] Sent: Tue, 18. February 2003 2:06 AM To: [EMAIL PROTECTED] Cc: Squid-Users Subject: Re: [squid-users] Winbind and Windows groups Have you also configured authentication? (auth_param ...) The group helpers are only responsible for verifying group membership, and relies on the authentication helper(s) to first verify the username and password. Regards Henrik mån 2003-02-17 klockan 06.11 skrev Simon Bryan: Hi all, I have sorted out most of my winbind problems at least at Samba - command line level. However I still cannot get Squid to recognise the groups. The relevant kines from my Squid.conf file are below. Note that wbinfo -u returns the users, wbinfo -g returns the groups from the domain, if I feed a correct domain+username groupname to wb_group it returns 'OK' or 'ERR' as the case may be. Is there anything wrong in my conf file that is obvious, or can I not do this yet? Using SQUID snapshot from 13th Feb 03 ** * external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group acl winauth external wb_group wwwusers acl staff external wb_group Teachers acl students external wb_group Students authenticate_ttl 1 hour authenticate_ip_ttl 300 seconds #a list of webmail domains from Dansguardian acl webmail dstdomain /etc/dansguardian/blacklists/mail/domains #some regex expressions that used to work OK with IP based acls acl webmail2 urlpath_regex /usr/local/squid/acls/webmailregex acl password proxy_auth REQUIRED #using this as a test, if I make it a http_access deny TEST all it works acl TEST dstdomain .passport.com http_access deny redworm http_access deny FTPDownloads PUT http_access deny banned-url http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow CONNECT SSL_ports http_access deny !Safe_ports http_access deny to_localhost http_access deny all !password http_access deny students TEST http_access deny students webmail webmail2 http_access allow local_servers http_access allow FTPDownloads http_access allow our_networks http_access allow olmcwarnings #And finally deny all other access to this proxy http_access allow all ** ** ** _ Simon Bryan IT Manager OLMC Parramata ICQ#: 137562751 _ -- Henrik Nordstrom [EMAIL PROTECTED] MARA Systems AB, Sweden
RE: [squid-users] Winbind and Windows groups
The following is in the SQUID FAQ so I thought I would try it anyway (I currently have Samba 2.2.5), however in the Squid directories there is no winbindd_nss.h file and in the 'helper/external_acl' directory there is no wb_group directory In the snapshot from 20030123, the winbindd_nss file exists in the first two directories but the wb_group directory is also not there. Have there been changes in this area and if so woudl they be effecting my problem? Have re-built with the 20030123 snapshot but there is no change. Squid-2.5.STABLE1 works with Samba 2.2.4 or 2.2.5. Samba With Samba 2.2.6, the winbindd interface changed and Squid 2.5.STABLE1 will not work as distributed. Replacing the winbindd_nss.h file in Squid's helpers/basic_auth/winbind, helpers/ntlm_auth/winbind and helpers/external_acl/wb_group/ directories with the version in Samba's source/nsswitch drectory is needed for the helpers to work properly. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] Sent: Tue, 18. February 2003 9:07 AM To: [EMAIL PROTECTED] Subject: Re: [squid-users] Winbind and Windows groups Looks fine from what I can tell, and should work.. But your http_access rules is a bit complex I think, but no immediately obvious errors except for the allow CONNECT ... thing which may override later filters if using https://.. Regards Henrik On Monday 17 February 2003 22.19, you wrote: yes, I have the following: auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 20 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minute auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11 auth_param basic children 5 auth_param basic realm Poxy server at OLMC auth_param basic credentialsttl 1 hour and from below: authenticate_ttl 1 hour acl password proxy_auth REQUIRED http_access deny all !password and the logs show the username as domain\username I take it that this should work then? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] Sent: Tue, 18. February 2003 2:06 AM To: [EMAIL PROTECTED] Cc: Squid-Users Subject: Re: [squid-users] Winbind and Windows groups Have you also configured authentication? (auth_param ...) The group helpers are only responsible for verifying group membership, and relies on the authentication helper(s) to first verify the username and password. Regards Henrik mån 2003-02-17 klockan 06.11 skrev Simon Bryan: Hi all, I have sorted out most of my winbind problems at least at Samba - command line level. However I still cannot get Squid to recognise the groups. The relevant kines from my Squid.conf file are below. Note that wbinfo -u returns the users, wbinfo -g returns the groups from the domain, if I feed a correct domain+username groupname to wb_group it returns 'OK' or 'ERR' as the case may be. Is there anything wrong in my conf file that is obvious, or can I not do this yet? Using SQUID snapshot from 13th Feb 03 * * * external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group acl winauth external wb_group wwwusers acl staff external wb_group Teachers acl students external wb_group Students authenticate_ttl 1 hour authenticate_ip_ttl 300 seconds #a list of webmail domains from Dansguardian acl webmail dstdomain /etc/dansguardian/blacklists/mail/domains #some regex expressions that used to work OK with IP based acls acl webmail2 urlpath_regex /usr/local/squid/acls/webmailregex acl password proxy_auth REQUIRED #using this as a test, if I make it a http_access deny TEST all it works acl TEST dstdomain .passport.com http_access deny redworm http_access deny FTPDownloads PUT http_access deny banned-url http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow CONNECT SSL_ports http_access deny !Safe_ports http_access deny to_localhost http_access deny all !password http_access deny students TEST http_access deny students webmail webmail2 http_access allow local_servers http_access allow FTPDownloads http_access allow our_networks http_access allow olmcwarnings #And finally deny all other access to this proxy http_access allow all * * ** ** _ Simon Bryan IT Manager OLMC Parramata ICQ#: 137562751 _ -- Henrik Nordstrom [EMAIL PROTECTED] MARA Systems AB, Sweden
[squid-users] Winbind and Windows groups
Hi all, I have sorted out most of my winbind problems at least at Samba - command line level. However I still cannot get Squid to recognise the groups. The relevant kines from my Squid.conf file are below. Note that wbinfo -u returns the users, wbinfo -g returns the groups from the domain, if I feed a correct domain+username groupname to wb_group it returns 'OK' or 'ERR' as the case may be. Is there anything wrong in my conf file that is obvious, or can I not do this yet? Using SQUID snapshot from 13th Feb 03 *** external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group acl winauth external wb_group wwwusers acl staff external wb_group Teachers acl students external wb_group Students authenticate_ttl 1 hour authenticate_ip_ttl 300 seconds #a list of webmail domains from Dansguardian acl webmail dstdomain /etc/dansguardian/blacklists/mail/domains #some regex expressions that used to work OK with IP based acls acl webmail2 urlpath_regex /usr/local/squid/acls/webmailregex acl password proxy_auth REQUIRED #using this as a test, if I make it a http_access deny TEST all it works acl TEST dstdomain .passport.com http_access deny redworm http_access deny FTPDownloads PUT http_access deny banned-url http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow CONNECT SSL_ports http_access deny !Safe_ports http_access deny to_localhost http_access deny all !password http_access deny students TEST http_access deny students webmail webmail2 http_access allow local_servers http_access allow FTPDownloads http_access allow our_networks http_access allow olmcwarnings #And finally deny all other access to this proxy http_access allow all ** _ Simon Bryan IT Manager OLMC Parramata ICQ#: 137562751 _
AW: [squid-users] Winbind and Windows groups
Maybe a bug. I observe the same prolem. Please look at the bugzilla database entry 518. Mit freundlichen Grüßen / regards Werner Rost - ZF Boge GmbH Werner Rost IT Friesdorfer Str. 175 D-53175 Bonn phone:+49/228/3825 420 fax: +49/228/3825 398 [EMAIL PROTECTED] www.boge-vibrationcontrol.com/ - -Ursprüngliche Nachricht- Von: Simon Bryan [mailto:[EMAIL PROTECTED]] Gesendet am: Montag, 17. Februar 2003 06:11 An: Squid-Users Betreff: [squid-users] Winbind and Windows groups Hi all, I have sorted out most of my winbind problems at least at Samba - command line level. However I still cannot get Squid to recognise the groups. The relevant kines from my Squid.conf file are below. Note that wbinfo -u returns the users, wbinfo -g returns the groups from the domain, if I feed a correct domain+username groupname to wb_group it returns 'OK' or 'ERR' as the case may be. Is there anything wrong in my conf file that is obvious, or can I not do this yet? Using SQUID snapshot from 13th Feb 03 *** external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group acl winauth external wb_group wwwusers acl staff external wb_group Teachers acl students external wb_group Students authenticate_ttl 1 hour authenticate_ip_ttl 300 seconds #a list of webmail domains from Dansguardian acl webmail dstdomain /etc/dansguardian/blacklists/mail/domains #some regex expressions that used to work OK with IP based acls acl webmail2 urlpath_regex /usr/local/squid/acls/webmailregex acl password proxy_auth REQUIRED #using this as a test, if I make it a http_access deny TEST all it works acl TEST dstdomain .passport.com http_access deny redworm http_access deny FTPDownloads PUT http_access deny banned-url http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow CONNECT SSL_ports http_access deny !Safe_ports http_access deny to_localhost http_access deny all !password http_access deny students TEST http_access deny students webmail webmail2 http_access allow local_servers http_access allow FTPDownloads http_access allow our_networks http_access allow olmcwarnings #And finally deny all other access to this proxy http_access allow all ** _ Simon Bryan IT Manager OLMC Parramata ICQ#: 137562751 _