RE: [squid-users] NT with 2 groups defined for squid

From: Chemolli Francesco (USI) <[email protected]>
Date: Thu, 6 Dec 2001 14:20:50 +0100

> Thanks Francesco, can you comment on this too?
>
> > > - does somebody use a better method for those 2 NT groups to
> > > authenticate?
> >
> > Yes. Enumerate the groups and use squid ACLs.
> > Where I am we're using a database to do this, but it should
> > be the same
> > with "net {local,global}group".
> What do you mean exactly with "net {local,global}group". I do
> not know any
> acl with this statement.

IT's NT's "net localgroup" or "net globalgroup" command.
Notice it will fail miserably if usernames are too long.

> I was thinking if maybe it is also possible to use it with 2 smb_auth
> statements. However I do not know, if it is possible to
> combine this with
> ACL / proxy_auth.

No, sorry.

> authenticate_program /opt/squid/libexec/squid/smb_auth -W DOMAIN -P
> localdomain -U PDC -S /netlogon/proxyauth_limited
> authenticate_program /opt/squid/libexec/squid/smb_auth -W DOMAIN -P
> localdomain -U PDC -S /netlogon/proxyauth_full
>
> > Create an .asp on your DC and IP- and password- protect it.
> > Have it dump a list of domain\user formatted lines.
> I am not really familiar with this NT environment. Can the DC
> export such a
> list?

Sure. There are APIs provided to enumerate groups. I don't remember their
names though,
check MSDN. MAYBE you can do that through samba's rpcclient.

-- 
	ing. Francesco Chemolli
	Unicredit Servizi Informativi
Received on Thu Dec 06 2001 - 06:09:21 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:14 MST