RE: [squid-users] Authing to ADS NT Groups in a file

From: Jason Oakley <[email protected]>
Date: Thu, 28 Oct 2004 12:02:22 +1000

aha. I needed to use this:

external_acl_type NT_global_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl

Well that's one step further, but now it allows everyone to access the proxy even if they aren't in the allowed groups.

external_acl_type NT_global_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl

# Use the group
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl LoggedInUsers proxy_auth REQUIRED

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow AllowedNTUsers
http_access allow LoggedInUsers
http_access deny !AllowedNTUsers
http_access deny !LoggedInUsers

Slowly getting somewhere.

Does this allow all from the AllowedNTUsers file and also all logged in users?
How do I make it that they have to be
A: Logged into the ADS
and
B: In particular groups

instead of A: OR B:

-----Original Message-----
From: squid-users-return-49446-Jason.Oakley=aapt.com.au@squid-cache.org
[mailto:squid-users-return-49446-Jason.Oakley=aapt.com.au@squid-cache.or
g]On Behalf Of Jason Oakley
Sent: Thursday, 28 October 2004 10:31 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Authing to ADS NT Groups in a file

Okay. I forgot this:
# Define the group
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wb_group

Now I can start squid.

I am in group "ITDepartment"
which I put in the "allowedntgroups" file

but it still denies me access.

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Define the group
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wb_group

# Use the group
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl AuthorizedUsers proxy_auth REQUIRED

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow AllowedNTUsers
http_access allow AuthorizedUsers
http_access deny !AllowedNTUsers
http_access deny !AuthorizedUsers

# And finally deny all other access to this proxy
http_access deny all

cat allowedntgroups
ITDepartment

-----Original Message-----
From: squid-users-return-49444-Jason.Oakley=aapt.com.au@squid-cache.org
[mailto:squid-users-return-49444-Jason.Oakley=aapt.com.au@squid-cache.or
g]On Behalf Of Jason Oakley
Sent: Thursday, 28 October 2004 9:06 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Authing to ADS NT Groups in a file

According to the docs:
acl ProxyUsers external NT_global_group "/usr/local/squid/etc/DomainUsers"
and the DomainUsers files will contain only the following line:
"Domain Users"

I tried this:
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl AuthorizedUsers proxy_auth REQUIRED

in allowedntgroups:
"IT Dept"
but I get this:

FATAL: Bungled squid.conf line 1840: acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
Squid Cache (Version 2.5.STABLE7): Terminated abnormally.

-----Original Message-----
From: squid-users-return-49441-Jason.Oakley=aapt.com.au@squid-cache.org
[mailto:squid-users-return-49441-Jason.Oakley=aapt.com.au@squid-cache.or
g]On Behalf Of Jason Oakley
Sent: Thursday, 28 October 2004 8:47 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Authing to ADS NT Groups in a file

I have Squid authing to ADS via Samba and I need to add certain groups to have access.

It's something like this:
acl unrestrictedusers external nt_group "/usr/local/etc/squid/acls/allowedntgroups"

but that doesn't work.
Of course, being NT groups, they have spaces in the names.. eg "IT Dept" so a file (allowedntgroups) to list the groups would be preferable.

What am I doing wrong?

TIA
--------------
Jason Oakley
Robina Helpdesk
AAPT Limited
Ph: 07 5562 4359

Jason.Oakley@aapt.com.au

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------

------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.

------------------------------------------------------------------------------
Received on Wed Oct 27 2004 - 20:02:30 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST