Re: [squid-users] NTLM questions (sorry)

From: Greg Sheard <[email protected]>
Date: 01 Apr 2003 11:54:29 +0100

On Tue, 2003-04-01 at 11:42, Gavin Hamill wrote:
> > Gavin,
> > I know how you feel I battled with winbind and these problems for ages and
> > finally it all worked. Below is the relevant parts of my squid.conf.
>
> I'm /almost/ there :) winbindd now seems to work fine, and I can
> successfully limit squid access only to those who authenticate using NTLM...
> those currently logged into the domain see no pop-up password prompt, and
> those roaming can just tap in their on-site user/password/domain into the
> box...
>
> However, the grail is to achieve two things:
>
> 1) Members of the 'Domain Admins' group are allowed proxy access to any
> site, at any time of day
> 2) All other authenticated users are only permitted to use a set list of
> websites during office hours.
>
> At present, if I reference anything relating to NT groups, I just get
> 'Access Denied' from squid..
>
> Here's my entire squid.conf for 2.5.STABLE2, verbatim:
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
>
> external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
> acl domainadmins external NT_global_group "Domain Admins"
>
> acl domainmember proxy_auth REQUIRED
>
> acl localhost src 127.0.0.1/255.255.255.255
>
> acl lan src 80.76.192.0/255.255.255.0
>
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> acl morning time MTWHF 09:00-12:59
> acl afternoon time MTWHF 14:00-16:59
> acl whitelist dstdomain "/etc/squid.whitelist"
>
> http_access allow localhost
>
> # admins should get full access, whenever, wherever.
> http_access allow domainmember domainadmins
>
> # non-admins can only look at certain sites during office hours ...
> http_access deny domainmember morning !whitelist
> http_access deny domainmember afternoon !whitelist
> # ... and all sites outside office hours.
> http_access allow domainmember
>
> # non-auth'd users get nada
> http_access deny all
>
> http_reply_access allow all
>
> icp_access allow all
> coredump_dir /var/spool/squid
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> As it stands, this config does not work as I want because members of 'Domain
> Admins' group are assigned the same privileges as normal NTLM-auth'd users.
> I don't understand this, because:
>
> wintermute:~# /usr/lib/squid/wb_group
> floss "Domain Admins"
> OK
>
> I've also tried surrounding the Domain Admins group name with single and
> double-quoted in squid.conf, but this has made no difference
>
> As always, I'm interested in suggestions :)

Hi Gavin,

Brian O'Neill submitted a patch in November to allow you to use `Domain
Admins`, because you can't do it with spaces (as you've discovered).
It's down to the passing around between squid.conf and the ACL helper.

I don't know if it made it in, but you could give it a go.

HTH, HAND

Greg.

-- 
No keyboard present 
Hit F1 to continue 
Zen engineering?

Received on Tue Apr 01 2003 - 03:54:45 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:34 MST