RE: [squid-users] Active Directory.
There are several better options than smb_auth for use against Active Directory: * LDAP (reliable) - The FAQ has info on configuring LDAP helpers * Samba Winbind (a little more complicated - but using NTLM authentication IE users won't need to type in a username/password - it'll pull it directly). Don't forget you need Samba 3. http://itmanagers.net/[EMAIL PROTECTED] has details of getting it going. -Original Message- From: Ampugnani, Fernando [mailto:[EMAIL PROTECTED] Sent: Friday, 19 December 2003 7:00 AM To: [EMAIL PROTECTED] Subject: [squid-users] Active Directory. Hi all, Can squid + smb_auth works with windows 2000 Active Directory.?, If canĀ“t what I might use to authenticate MSAD. Thanks in advance. Fernando Ampugnani EDS Argentina - Software, Storage Network Global Operation Solution Delivery Tel: 5411 4704 3428 Mail: [EMAIL PROTECTED]
RE: [squid-users] winbindd_privileged
This is a Samba and not Squid question.. Please refer to the Samba ML http://lists.samba.org/mailman/ or to the itmanagers.net website - but you'll need to include more information about your configure line for anyone to be able to help.. Daniel -Original Message- From: John Anand Jesudas [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 November 2003 8:42 AM To: [EMAIL PROTECTED] Subject: [squid-users] winbindd_privileged Hi. I am trying to setup ntlm auth using samba3 and squid.. I am unable to find winbindd_privileged folder.. I am refering this location for the setup.. http://itmanagers.net/Documents/File/walkthroughs/[EMAIL PROTECTED]/Squid+and +Sam ba+3+-+Walkthrough.html Pls help me.. JOhn
RE: [squid-users] NTLM Auth problems
You're not passing ntlm_auth any configuration options.. It won't know if it's doing NTLMSSP, basic or what.. For more info on ntlm_auth - check the man page or have a look here for a walkthrough: http://itmanagers.net/[EMAIL PROTECTED] -Original Message- From: MacKenzie, Chris J [mailto:[EMAIL PROTECTED] Sent: Monday, 24 November 2003 10:52 AM To: [EMAIL PROTECTED] Subject: [squid-users] NTLM Auth problems Hi All, I'm having problems getting ntlm authentication to work with squid 2.5 (stable 1). It's running on a RH9 with samba 3.0. I have winbind working fine with samba but for some reason I just can't seem to get squid to auth with our win2K domain. I keep getting 403 access denied messages. Is there a winbind/ntlm auth configuration guide somewhere ? I've included my squid.conf for review in case I'm suffering from domestic blindness :-) # squid conf file # --- # Network options # --- http_port 3128 icp_port 4141 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # --- # Cache Neighbour options # --- cache_peer upstream.foo.com parent 80 0 no-query no-digest default # --- # Cache size options # --- maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 512 KB # --- # Cache dir logging options # --- cache_dir aufs /var/spool/squid 8192 16 256 pid_filename /var/run/squid.pid debug_options all, 5 error_directory /usr/share/squid/errors/English icon_directory /usr/share/squid/icons cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /etc/squid/mime.conf # # NTLM OPTIONS #authenticate_program_ntlm #authenticate_children_ntlm 5 auth_param ntlm program /usr/bin/ntlm_auth auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # --- # options for external support programs # --- ftp_user [EMAIL PROTECTED] ftp_list_width 64 ftp_passive on # --- # Cache tuning options # --- # REM - MRV - all these numbers are done on the basis of a T1 line having # 25 users on it, giving a viable request bandwidth of 5.5kb/sec quick_abort_min 22 Kb quick_abort_max 100 Kb quick_abort_pct 75 # --- # Cache admin options # --- cache_effective_user squid cache_effective_group squid visible_hostname kiftest1 # --- # Cache misc options # --- #append_domain .domainname #chroot enable #pipeline_prefetch on # --- # Cache ACL options # --- acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.0.0.0 acl AuthorizedUsers proxy_auth REQUIRED acl local-domains dstdomain *.foo.com acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT never_direct deny local-domains never_direct allow all http_access allow manager localhost #http_access allow all http_access allow AuthorizedUsers http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all icp_access allow all # --- [eof] --- Rgds, Chris MacKenzie ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **
RE: [squid-users] SSL Tunnel out-of-box?
It's a little off topic - but I'm wondering why, if you want secure communications between the clients and the Squid server, you aren't thinking of using something like IPsec which *should* provide seamless encryption / data authentication.. Sorry, I can't answer your actual question :) Daniel -Original Message- From: WEHT.net Webmaster [mailto:[EMAIL PROTECTED] Sent: Wednesday, 22 October 2003 11:16 AM To: [EMAIL PROTECTED] Subject: [squid-users] SSL Tunnel out-of-box? Sorry if there are well known answers to this, I've been looking but not finding... Is there a way to get an SSL Tunnel between the client and squid under 2.5.STABLE4 out-of-box (or with a server side patch?) Client --- SSL --- Squid --- Non-SSL/SSL --- Internet My conf is posted below, this works fine via non-SSL between the client-squid (including hitting URI's via SSL on the other side of the squid cache), but when I set my proxy address on the clients to use the SSL port on the squid side, I get this error: Oct 21 21:06:00 sp0090 squid[17038]: clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request Which from what I can gather seems to mean the SSL port is getting non-SSL requests from the client. I guess what I'm wondering is if there is a way to do this out-of-box without having to use something like an SSH tunnel from the client side, i.e. convince the web browsers to open SSL connections to the squid cache all the time? Again, sorry if its an FAQ... # begin config http_port 69.60.1.98:3128 https_port 69.60.1.98:443 cert=/etc/squid/ssl/server-req.pem \ key=/etc/squid/ssl/server-key.pem tcp_outgoing_address 69.60.1.98 httpd_accel_host proxy.example.com httpd_accel_uses_host_header on httpd_accel_host virtual httpd_accel_port 444 httpd_accel_with_proxy on httpd_accel_uses_host_header on redirect_rewrites_host_header off hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic program /usr/lib/squid/ncsa_auth \ /usr/lib/squid/etc/authusers.txt auth_param basic children 5 auth_param basic realm proxy.example.com auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow password http_reply_access allow all icp_access allow all -- WEHT.net The Online Compendium of What Ever Happened To Where Are They Now?
FW: [squid-users] download block !
Adam Aube wrote: It's very simple: acl MyDenyMIME urlpath_regex -i \.exe \.mov \.mpg \.mp? you also need $ after the extension That is a good suggestion; though not essential, it does cut down on the false-positive rate. The other downside to a $ on the end means users can stick a ? on the end of most requests to bypass it.. (I use this myself to bypass the block on my own proxy.. Fortunately no one has thought of trying that yet..) Then again - I guess something like urlpath_regex -I \.(exe|mov|mpg|mp?)[?]$ would prob fix that... Daniel
RE: [squid-users] Howto ntlm_auth
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] See the Squid FAQ entry on how to configure Squid using winbind. Unless you're using Samba 3 (the current release) .. Then you might want to check here: http://itmanagers.net/[EMAIL PROTECTED]
Re: [squid-users] Using wb_group from Samba 3.0 with squid 2.5
Have you tried it with a user who is not in as many groups? Oct 2 16:08:38 urd winbindd[1809]: process_loop: Invalid request size I had the problem with invalid request size when trying to join a computer to the domain with a user in too many groups.. *apparently* (and I could be completely wrong), the MIT version of KRB5 doesn't currently fall back to TCP when groups are too large for the UDP packet.. (or was it the other way round?) Just something to test... Daniel Palmer IT Managers.net - The Support Group http://itmanagers.net -Original Message- From: Nerijus Baliunas [mailto:[EMAIL PROTECTED] Sent: Wednesday, 8 October 2003 2:41 AM To: [EMAIL PROTECTED] Subject: Re: [squid-users] Using wb_group from Samba 3.0 with squid 2.5 Hello, try testing the helper from console /your/path/to/wb_group -d then DOMAIN\\USERNAME GROUP Tried it: # /usr/lib/squid/wb_group -d /wb_group[25479](wb_check_group.c:322): External ACL winbindd group helper build Sep 22 2003, 18:38:39 starting up... lspi\\test Domain Users /wb_group[25479](wb_check_group.c:343): Got 'lspi\\test Domain Users' from Squid (length: 25). /wb_group[25479](wb_check_group.c:231): Warning: Can't enum user groups. ERR # wbinfo -g Domain Admins Domain Users ... # ls -ld /var/cache/samba/winbindd_privileged/ drwxr-x---2 root squid4096 Oct 7 19:19 /var/cache/samba/winbindd_privileged/ winbindd.log: [2003/10/07 19:19:12, 0] nsswitch/winbindd.c:process_loop(716) process_loop: Invalid request size from pid 25479: 1304 bytes sent, should be 1568 What could be the problem? be sure not to change separator in smb.conf squid group auth won't work with anything else than \\ winbind separator is commented out in smb.conf, so it should be the default. samba 3.0, squid 2.5.STABLE3. Regards, Nerijus
[squid-users] Squid, Samba 3 and NTLM authentication - a walkthrough
Well the Samba 3 full release is just around the corner (or so it sounds from the developers on the samba technical mailing list.) For those of you who are using Win2k+ servers and Squid and want to use Samba 3 and NTLM authentication (for proxy authentication within IE) I have released a Walkthrough with lots of tips and tricks to make the ntlm_auth helper work To grab it head here: http://itmanagers.net/modules.php?name=Newsfile=articlesid=4 (This document is aimed towards people with experience with Samba Squid - but wanting to get ntlm_auth working. Beginners will probably need to refer to Samba Squid docs also). As the Samba 3.0 final is released I will be updating the Walkthough with any changes - so check the page for updates... Daniel Palmer
