-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio G P schrieb: | Hello!!! | | I have installed Suse 9.0 as a Prymary Domain Server with Samba and | windows clients. It is working ok. | | Next step is to configure squid for windows clients but I donĀ“t know hot | yo implement ACL to control the access of domain users. It is necesary | to install winbind? | | Thank yoy very much for your help because I am a bit lost with this. | | as far i remembered squid and samba in suse 9 ( as far you have the orginal suse rpms ) had not worked to ntlm auth, cause of a bug in that squid version. I cant grant you that it working with suse 9.2. ( cause i have it up and running here is a snip from squid.conf i had to use the sid of the related group cause winbind gaves me no groupname back ( maybe a suse special or my fault ) ( so this is the answer , you have to use winbind for ntlm auth for squid, hope i remmeber right here ) there are few faqs in the web how to manage this. ( try google for squid samba ) you have to configure winbind to use the local running samba pdc
- ---snip--- # we give the client browser the proxy entry via dns method, which works # for firefox and ie, so we produce a pseudo transparent squid proxy #(real transparent proxy does not work with any auth method , see man # squid # user group which are allowed to access the internet in general auth_param ntlm program /usr/bin/ntlm_auth - --helper-protocol=squid-2.5-ntlmssp - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817$ auth_param basic program /usr/bin/ntlm_auth - --helper-protocol=squid-2.5-basic - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-$ auth_param basic children 5 # auth_param ntlm use_ntlm_negotiate on # auth_param ntlm max_challenge_reuses 0 ~ auth_param ntlm max_challenge_lifetime 15 minutes auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl user proxy_auth REQUIRED http_access allow user #pam auth against a system group works "here" too (nss_ldap), we use it #to overide the redirector vor vips external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g wwwdirect acl direct external unix_group wwwdirect redirector_access deny direct always_direct allow direct http_access allow direct - -- Mit freundlichen Gruessen Best Regards Robert Schetterer robert_at_schetterer.org Munich / Bavaria / Germany https://www.schetterer.org \********************************** \* gnupgp \* public key: \* https://www.schetterer.org/public.key \********************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDA6gLb0iqzJq+0MgRAi8/AJ9VMuIB4TLk8/3nPc8WNb8c4/uwBQCcCWb1 qa3Mqm2uJQ8Kqap+5bJ2eFY= =KK1s -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
