Re: [squid-users] NTLM questions (sorry)

From: Gavin Hamill <[email protected]>
Date: Tue, 1 Apr 2003 11:42:58 +0100

> Gavin,
> I know how you feel I battled with winbind and these problems for ages and
> finally it all worked. Below is the relevant parts of my squid.conf.

I'm /almost/ there :) winbindd now seems to work fine, and I can
successfully limit squid access only to those who authenticate using NTLM...
those currently logged into the domain see no pop-up password prompt, and
those roaming can just tap in their on-site user/password/domain into the
box...

However, the grail is to achieve two things:

1) Members of the 'Domain Admins' group are allowed proxy access to any
site, at any time of day
2) All other authenticated users are only permitted to use a set list of
websites during office hours.

At present, if I reference anything relating to NT groups, I just get
'Access Denied' from squid..

Here's my entire squid.conf for 2.5.STABLE2, verbatim:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object

external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
acl domainadmins external NT_global_group "Domain Admins"

acl domainmember proxy_auth REQUIRED

acl localhost src 127.0.0.1/255.255.255.255

acl lan src 80.76.192.0/255.255.255.0

acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl morning time MTWHF 09:00-12:59
acl afternoon time MTWHF 14:00-16:59
acl whitelist dstdomain "/etc/squid.whitelist"

http_access allow localhost

# admins should get full access, whenever, wherever.
http_access allow domainmember domainadmins

# non-admins can only look at certain sites during office hours ...
http_access deny domainmember morning !whitelist
http_access deny domainmember afternoon !whitelist
# ... and all sites outside office hours.
http_access allow domainmember

# non-auth'd users get nada
http_access deny all

http_reply_access allow all

icp_access allow all
coredump_dir /var/spool/squid
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

As it stands, this config does not work as I want because members of 'Domain
Admins' group are assigned the same privileges as normal NTLM-auth'd users.
I don't understand this, because:

wintermute:~# /usr/lib/squid/wb_group
floss "Domain Admins"
OK

I've also tried surrounding the Domain Admins group name with single and
double-quoted in squid.conf, but this has made no difference

As always, I'm interested in suggestions :)

Cheers,
Gavin.
Received on Tue Apr 01 2003 - 03:43:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:34 MST