On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
> Avinash Rao wrote:
>>
>> ---------- Forwarded message ----------
>> From: Avinash Rao <avinash.aol_at_gmail.com>
>> Date: Tue, Sep 8, 2009 at 11:13 AM
>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
>> To: Amos Jeffries <squid3_at_treenet.co.nz>
>> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>,
>> squid-users_at_squid-cache.org
>>
>>
>>
>>
>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Avinash Rao wrote:
>>>>
>>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>>
>>>>> Avinash Rao wrote:
>>>>>
>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>
>>>>> <henrik_at_henriknordstrom.net
>>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>>>
>>>>>> �s�n 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>> � > I couldn't find any document that shows me how to enable wb_info
>>>>>> �for squid.
>>>>>> � > Can anybody help me?
>>>>>>
>>>>>> �external_acl_type NT_Group %LOGIN
>>>>>> �/usr/local/squid/libexec/wbinfo_group.pl
>>>>>>
>>>>>> �acl group1 external NT_Group group1
>>>>>>
>>>>>>
>>>>>> �then use group1 whenever you want to match users belonging to that
>>>>>> �Windows group.
>>>>>>
>>>>>> �Regards
>>>>>> �Henrik
>>>>>>
>>>>>>
>>>>>> Hi Henrik,
>>>>>>
>>>>>> I have used the following in my squid.conf
>>>>>>
>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>>>
>>>>> group1 external NT_Group staff
>>>>>>
>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>> http_access allow net
>>>>>>
>>>>>> On my linux server, I have created a group called staff and made a
>>>>>> couple
>>>>>
>>>>> of users a member of this group called staff. My intention is to
>>>>> provide
>>>>> access to users belonging to group staff on all days from morning 9am -
>>>>> 7PM.
>>>>> The rest should be denied.
>>>>>>
>>>>>> But this didn't work, when the Samba users login from a winxp client,
>>>>>> it
>>>>>
>>>>> doesn't get access to internet at all.
>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>
>>>>> And _everybody_ (me included on this side of the Internet) is allowed
>>>>> to use
>>>>> your proxy between 9am ad 6pm.
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>> I didn't understand your second statement, are u telling me that i
>>>> should deny access to net?
>>>
>>> You should combine the ACL with others on an http_access line so that its
>>> limited to who it allows.
>>>
>>> This:
>>> �acl net time M T W T F S S 9:00-18:00
>>> �http_access allow net
>>>
>>> simply says "all requests are allowed between time X and Y".
>>> Without additional controls, ie on IP address making the request, �you
>>> end up with an open proxy.
>>>
>>> Amos
>
>>
>> Dear Amos,
>>
>> I am still not able to get this working. �Here's what i want to
>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>> and LTSP users. All users use squid proxy. My intention is to control
>> the samba users from accessing the internet at certain times.
>>
>> If i don't use the external_acl_type NT_Group as mentioned below, the
>> squid works properly for all users, even windows and anybody using
>> squid proxy.
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>> wbinfo_group.pl
>> acl group1 external NT_Group group1
>> I have created a group called staff using net rpc command and i am i
>> have made all the users using winxp a member of this group staff. So,
>> my acl will look like
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>> acl acl_name external NT_Group staff
>> http_access allow staff
>>
>> According to my understanding, it should allow only those samba users
>> which come under the group staff. But thats not happening, squid
>> denies access to the internet.
>
> _when tested_ it should be doing that. Other rules around it have an effect
> that you may have overlooked.
>
> Then again the group name is case-sensitive. The helper is OS access
> permission sensitive, and NTLM auth has difficulties all of its own.
>
>
> I'll need to see the whole access config to know whats going on. And remind
> me what version of Squid this is.
>
>
> Amos
> --
> Please be using
> �Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
> �Current Beta Squid 3.1.0.13
>
hi,
root_at_sunbox:/etc/squid# dpkg -l | grep squid
ii squid 2.6.18-1ubuntu3
Internet object cache (WWW proxy cache)
ii squid-common 2.6.18-1ubuntu3
Internet object cache (WWW proxy cache) - co
squid.conf
visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
http_port 10.10.10.200:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl staffgroup external NT_Group staff
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 993 # IMAP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 22 # SSH
acl purge method PURGE
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
acl lan src 192.168.1.0 10.10.10.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard �c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access allow staffgroup
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
Thanks
Avinash
Received on Tue Sep 08 2009 - 06:17:59 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 12:00:02 MDT