[squid-users] Autorizzazione gruppi: wbinfo_group.pl

From: Samantha Cicchelero <[email protected]>
Date: Thu, 20 Nov 2003 16:50:40 +0100

Ciao a tutti!

Vorrei permettere l'accesso ad internet, utilizzando i gruppi del dominio W2K.
Sono riuscita a fare navigare gli utenti autenticati, senza che compaia la finestra di pop up. Ma non riesco a far accedere gli utenti in base al fatto che questo faccia parte di un gruppo autorizzato a navigare.

[Scenario]: box con redhat 9+ samba 3 + squid 2.5. STABLE4

Configurazione di squid.conf

auth_param ntlm program /usr/local/samba/bin/ntlm_auth --debug-level= 10 --helper-protocol=squid-2.5-ntlmssp --nt-response
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 15 minutes
 authenticate_ttl 1 hour
external_acl_type wbinfo_group_helper ttl=300 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl gruppoInternet external wbinfo_group_helper -i "/etc/squid/gruppi/Internet"
acl password proxy_auth REQUIRED
http_access deny password !gruppoInternet
http_access deny all

Il file /etc/squid/gruppi/Internet contiene il nome del gruppo di dominio. Con samba 2.2.8a funzionava.

Configurazione di samba

#/usr/local/samba/lib/Smb.conf
 [global]
   workgroup = advnet
   server string = Samba Server on %v
   hosts allow = 192.168.150. 127.
   log file = /var/log/samba/%m.log
   max log size = 1000
   security = domain
   password server = srvadvnet
   encrypt passwords = yes
   smb passwd file = /usr/local/samba/private/smbpasswd
   interfaces = 192.168.150.250/24
        domain master = no
        preferred master = no
        wins support = no
#********************winbindd************************
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-65000
idmap gid = 10000-65000
winbind enum users = yes
winbind enum groups = yes

La compilazione di samba: ./configure --with-winbind --with-winbind-auth-challenge --with-msdfs --w
ith-smbwrapper --with-smbmount --with-pam_smbpass --with-nmbd

La compilazione di squid: ./configure --enable-auth=basic,digest,ntlm
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group
--enable-kill-parent-hack --enable-err-language=italian

Ho modificato i permessi per la directory winbindd_priviledged e file pipe:
[root@X007 locks]# ls -laF
drwxr-x--- 2 root squid 4096 20 nov 14:02 winbindd_privileged/
srwxrwxrwx 1 root root 0 20 nov 14:02 pipe

Ho modificato il file wbinfo_group.pl visto il post su http://itmanagers.net/posts10-0.html&postdays=0&postorder=asc&highlight=

 [root@X007 squid]# vi /usr/lib/squid/wbinfo_group.pl
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#

# external_acl uses shell style lines in it's protocol
#require 'shellwords.pl';

# Disable output buffering
$|=1;

sub debug {
        # Uncomment this to enable debugging
        #print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group"`;
        chop $groupSID;
        $groupGID = `wbinfo -Y $groupSID`;
        chop $groupGID;
        &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

sub shellwords {
        local (@words, $user, $group);
        ($user = $1, $group = $2) if (s/.*\\(.*)\s(.*)//);
        push (@words, $user, $group);
        @words;
}

#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug ("Got $_ from squid");
        ($user, $group) = &shellwords;
        $ans = &check($user, $group);
        &debug ("Sending $ans to squid");
        print "$ans\n";
}

Vi ringrazio per qualsiasi aiuto.

Samantha Cicchelero
ADVNET s.r.l.
Via Marco Corner, n. 19
36016 Thiene (VI)
ITALY
Phone +39 0445 371093
Fax�����+39 0445 371094
Web Site http://www.advnet.it

Ai sensi della Legge 675/96 si precisa che le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Qualora il messaggio in parola Le fosse pervenuto per errore, la preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie.
This message for the law 675/96, may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Received on Thu Nov 20 2003 - 08:47:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:25 MST