Re: [squid-users] wb_group + mac_id (arp) auth possible?
sön 2006-02-26 klockan 08:39 +0530 skrev updatemyself .: i was trying to setup a squid proxy server with the wb_group authentication. in my windows 2003 ADS i am having a group called internet i need to give internet access for the ppl belongs to that group can anyone help me.. how i can provide the proxy only for the users in ADS group internet It should be something like the following: external_acl_type adsgroup /usr/local/squid/libexec/wbinfo_group.pl acl ads_internet external adsgroup internet then use the acl ads_internet wherever you want to require the group membership. also can i use 2 authentication system in same time like.. mac_address (arp) + wb_group Yes. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] wb_group + mac_id (arp) auth possible?
On 2/26/06, updatemyself . [EMAIL PROTECTED] wrote: Hai All, i was trying to setup a squid proxy server with the wb_group authentication. in my windows 2003 ADS i am having a group called internet i need to give internet access for the ppl belongs to that group in my corrent configuration all users in my domain can authenticate to squid... I am using following configuration..and i wish to stop that.. = auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED acl mynet src 172.16.0.0/255.255.0.0 http_access allow mynet password == can anyone help me.. how i can provide the proxy only for the users in ADS group internet Samba version is.. samba-3.0.21b-3 Squid Version is... squid-2.5.STABLE6-3.4E.11 Using RHEL 4 Please help me.. to find some valuable docuents to do this.. also can i use 2 authentication system in same time like.. mac_address (arp) + wb_group I can only help you , on the mac_addr part of your question : http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.20 Once configured , you can just combine an arp based acl type with an auth tape based acl type in one http_access statement to accomplish what you want. Note that mac based auth has limited functionality because SQUID can only see mac's that are on the same subnet as the squid box. In my case, for instance, it wouldn't be usable at all, since SQUID is on the DMZ, separated from the standard INTRANET. M.
Re(2): [squid-users] wb_group issues
Begin forwarded Message from Roman Rathler,
Thu, 29 Apr 2004 11:06:01 +0200 (METDST):
Hi,
in the meanwhile i got it running using the wbinfo_group.pl helper.
There is a bug in the perl script that comes with the fedora package
squid-2.5.STABLE3-1.fc1 when it tries converting groupSID to groupGID...
the result of $groupSID (wbinfo -n groupname) is:
S-1-5-21-515967xxx-1078145xxx-1708537xxx-1236 Domain Group (2)
the perl script expects it just to be the SID - here is my workaround
for the perl script (i do not program perl normally so this code could
for shure look nicer):
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n $group`;
chop $groupSID;
@hugo = split(/ /, $groupSID);
$groupGID = `wbinfo -Y $hugo[0]`;
chop $groupGID;
debug( User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID:
-$groupGID-);
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}
don't know wheter this was already fixed in the squid distribution...
best regards,
roman
Henrik Nordstrom [EMAIL PROTECTED] writes on
Wed, 28 Apr 2004 17:39:11 +0200 (METDST):
On Wed, 28 Apr 2004, Roman Rathler wrote:
I have a squid up and running with samba-3 using the fedora
packages
(squid-2.5.STABLE3-1.fc1). authentication against the ads works
fine
from squid for basic and ntlm authentication. now i want to build
some
acls using groups from the active directory.
I tried unsing wb_group helper with syntax like this:
wb_group is only valid for use with Samba-2.2.X. For Samba-3 you need
to
use the wbinfo_group helper.
Regards
Henrik
___
Stay Tuned For PocketBeats
http://pocketbeats.net/
Re: Re(2): [squid-users] wb_group issues
On Thu, 29 Apr 2004, Roman Rathler wrote: in the meanwhile i got it running using the wbinfo_group.pl helper. There is a bug in the perl script that comes with the fedora package squid-2.5.STABLE3-1.fc1 when it tries converting groupSID to groupGID... As far as I know this is fixed in 2.5.STABLE5. http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE4-wbinfo_group Regards Henrik
[squid-users] wb_group issues
Hi, for sure I am not the only one having this problem and maybe it a rtfm-thing, but i wasn't able to find it and I searched a lot. I have a squid up and running with samba-3 using the fedora packages (squid-2.5.STABLE3-1.fc1). authentication against the ads works fine from squid for basic and ntlm authentication. now i want to build some acls using groups from the active directory. I tried unsing wb_group helper with syntax like this: external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -d -c acl FullAccess external NT_global_group squid_access winbind works, i can check with wbinfo -whatever it will work, but wb_group gets me: (wb_group)[2414](wb_check_group.c:343): Got '\\username squid_access' from Squid (length: 27). (wb_group)[2414](wb_check_group.c:231): Warning: Can't enum user groups. I have found couple of people having the same problem via google, but no solution!!! best regards, roman ___ Stay Tuned For PocketBeats http://pocketbeats.net/
[squid-users] Asunto: [squid-users] wb_group issues
-- Mensaje original -- From: Roman Rathler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wed, 28 Apr 2004 10:11:59 +0200 (METDST) Subject: [squid-users] wb_group issues Hi, for sure I am not the only one having this problem and maybe it a rtfm-thing, but i wasn't able to find it and I searched a lot. I have a squid up and running with samba-3 using the fedora packages (squid-2.5.STABLE3-1.fc1). authentication against the ads works fine from squid for basic and ntlm authentication. now i want to build some acls using groups from the active directory. I tried unsing wb_group helper with syntax like this: wb_group is for samba 2.x, instead, you must use wbinfo_group, wich is for samba 3. This is a perl script located in the source tree of squid. In my installation is in /usr/local/src/squid/squid-2.5.5/helpers/external_acl/wbinfo_group/wbinfo_group.pl Good luck. external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -d -c acl FullAccess external NT_global_group squid_access winbind works, i can check with wbinfo -whatever it will work, but wb_group gets me: (wb_group)[2414](wb_check_group.c:343): Got '\\username squid_access' from Squid (length: 27). (wb_group)[2414](wb_check_group.c:231): Warning: Can't enum user groups. I have found couple of people having the same problem via google, but no solution!!! best regards, roman ___ Stay Tuned For PocketBeats http://pocketbeats.net/
Re: [squid-users] wb_group issues
On Wed, 28 Apr 2004, Roman Rathler wrote: I have a squid up and running with samba-3 using the fedora packages (squid-2.5.STABLE3-1.fc1). authentication against the ads works fine from squid for basic and ntlm authentication. now i want to build some acls using groups from the active directory. I tried unsing wb_group helper with syntax like this: wb_group is only valid for use with Samba-2.2.X. For Samba-3 you need to use the wbinfo_group helper. Regards Henrik
RE: [squid-users] Wb_group error message in cache.log
DOES ANYBODY HAVE AN IDEA ABOUT THIS??? -Original Message- From: Mark Pelkoski Sent: Wednesday, November 26, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [squid-users] Wb_group error message in cache.log List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
RE: [squid-users] Wb_group error message in cache.log
Not really.. Does it happen for all users or just some? Is there any log messages from Samba in the Samba or messages log files? Regards Henrik On Tue, 2 Dec 2003, Mark Pelkoski wrote: DOES ANYBODY HAVE AN IDEA ABOUT THIS??? -Original Message- From: Mark Pelkoski Sent: Wednesday, November 26, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [squid-users] Wb_group error message in cache.log List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
RE: [squid-users] Wb_group error message in cache.log
Nothing in the smbd.log file. This message shows up randomly giving no notice to any particular user. Just curious if this is any issue or not. -Mark -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 9:22 AM To: Mark Pelkoski Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] Wb_group error message in cache.log Not really.. Does it happen for all users or just some? Is there any log messages from Samba in the Samba or messages log files? Regards Henrik On Tue, 2 Dec 2003, Mark Pelkoski wrote: DOES ANYBODY HAVE AN IDEA ABOUT THIS??? -Original Message- From: Mark Pelkoski Sent: Wednesday, November 26, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [squid-users] Wb_group error message in cache.log List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
RE: [squid-users] Wb_group error message in cache.log
On Tue, 2 Dec 2003, Mark Pelkoski wrote: Nothing in the smbd.log file. winbind is logging to the log.winbindd log file, not smbd.log. This message shows up randomly giving no notice to any particular user. Just curious if this is any issue or not. If you do not have any complaints from users it most likely is not an issue.. Regards Henrik
[squid-users] Wb_group error message in cache.log
List, I keep seeing this error in my cache.log a couple of times a day. Is this normal or do I have a problem? I require my users to belong to a certain NT group in order to use Squid. I wasn't seeing it when I tested it with 70 users. Now I have 800+ users. (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups. TIA. -Mark
[squid-users] wb_group and samba 3
I need wb_group to work under samba 3. Compiling it with the samba 3 libraries give this error_ [EMAIL PROTECTED] winbind_group]# make source='wb_common.c' object='wb_common.o' libtool=no \ depfile='.deps/wb_common.Po' tmpdepfile='.deps/wb_common.TPo' \ depmode=gcc3 /bin/sh ../../../cfgaux/depcomp \ gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I. -I../../../include -I../. ./../include -I../../../src -I../../../include/samba-g -O2 -Wall -c `test -f wb_common.c || echo './'`wb_common.c wb_common.c: In function `init_request': wb_common.c:68: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:78: structure has no member named `domain' wb_common.c:78: structure has no member named `domain' wb_common.c: In function `winbindd_send_request': wb_common.c:334: structure has no member named `domain' make: *** [wb_common.o] Error 1 And compiling without samba 3 librarier make wb_group to not find winbind even if it is already started and working. How to solve this problem ? I need to authenticate groups of users and I don't want to use wbinfo_group.pl Thanks in Advance BEst Regards. Federico
Re: [squid-users] wb_group and samba 3
On Fri, 31 Oct 2003, Lombardo Federico wrote: I need wb_group to work under samba 3. Won't work. wb_group is a Samba-2.X helper. For Samba-3 you can use the wbinfo_group helper which is Samba version neutral. Regards Henrik
Re: [squid-users] wb_group and samba 3
Henrik I'm sorry to be pedant, but wbinfo_group is a perl script, I've a lot of users... I'm afraid that will slow down authentication process, isn't it ? wb_group is as far tested to be rock stable and fast, is possible to re-implement it to work on samba 3 ? Is in roadmap a ntlm_auth for ADS groups that implement fully NTLMv2 authentication with group support ? I think that ntlm_auth that comes with samba 3 is fast and useful, But I must track 1000 users in a ACL regex... this is not a good thing... Also because I need to create policies for groups of users. What do you think if I integrate winbind with ADS win2k with PAM, and use squid pam authentication for groups ? is possible ? BEst Regards, Federico - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Lombardo Federico [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 12:48 PM Subject: Re: [squid-users] wb_group and samba 3 On Fri, 31 Oct 2003, Lombardo Federico wrote: I need wb_group to work under samba 3. Won't work. wb_group is a Samba-2.X helper. For Samba-3 you can use the wbinfo_group helper which is Samba version neutral. Regards Henrik
Re: [squid-users] wb_group and samba 3
On Fri, 31 Oct 2003, Lombardo Federico wrote: but wbinfo_group is a perl script, I've a lot of users... I'm afraid that will slow down authentication process, isn't it ? Not really. The speed difference is marginal, and in both cases the results are aggressively cached by Squid. wb_group is as far tested to be rock stable and fast, is possible to re-implement it to work on samba 3 ? Not unless the Samba team provides such helper. Is in roadmap a ntlm_auth for ADS groups that implement fully NTLMv2 authentication with group support ? yes. In fact the Samba-3 helper does so already but there is issues in Squid preventing it from happening. group support is independent of NTLMv2. I think that ntlm_auth that comes with samba 3 is fast and useful, But I must track 1000 users in a ACL regex... this is not a good thing... Also because I need to create policies for groups of users. Use wbinfo_group helper. What do you think if I integrate winbind with ADS win2k with PAM, and use squid pam authentication for groups ? is possible ? For ADS you should be using the LDAP helpers for group membership lookups and basic authentication. PAM is also possible (for Basic authentication only), but generally only makes the setup several orders of magnitude more complex, and is only interesting if you really want the OS to know about all the users. Regards Henrik
Re: [squid-users] wb_group strangeness
I'm having issues using wb_group from Stable3, both the version compile from source and the SRPM. I have an earlier version of wb_group that works perfectly from Stable1, here is my results Interesting - I got: $ ./wb_group -d -c /wb_group[25429](wb_check_group.c:321): External ACL winbindd group helper build Jul 15 2003, 09:36:06 starting up... /wb_group[25429](wb_check_group.c:324): Warning: running in case insensitive mode !!! DOMAIN\user group /wb_group[25429](wb_check_group.c:343): Got 'DOMAIN\user group' from Squid (length: 17). /wb_group[25429](wb_check_group.c:231): Warning: Can't enum user groups. ERR What version of Samba are you using - we're using 2.2.8a. Adam
[squid-users] wb_group strangeness
I'm having issues using wb_group from Stable3, both the version compile from source and the SRPM. I have an earlier version of wb_group that works perfectly from Stable1, here is my results /usr/lib/squid/wb_group -d -c /wb_group[22948](wb_check_group.c:321): External ACL winbindd group helper build Aug 29 2003, 15:06:10 starting up... /wb_group[22948](wb_check_group.c:324): Warning: running in case insensitive mode !!! DOMAIN\\user Group /wb_group[22948](wb_check_group.c:343): Got 'DOMAIN\\user Group' from Squid (length: 18). (old, working -- ERR is the correct response) /root/wb_group -d /wb_group[22949](wb_check_group.c:265): External ACL winbindd group helper build Oct 1 2002, 18:24:06 starting up... DOMAIN\\user Group /wb_group[22949](wb_check_group.c:285): Got 'DOMAIN\\user Group' from Squid (length: 8192). ERR Any ideas? Thanks in advance
RE: [squid-users] wb_group strangeness
I had a similar problem if I had Squid running. I would halt squid and test wb_group and all would work right then. -Original Message- From: Alex Short [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 4:26 PM To: [EMAIL PROTECTED] Subject: [squid-users] wb_group strangeness I'm having issues using wb_group from Stable3, both the version compile from source and the SRPM. I have an earlier version of wb_group that works perfectly from Stable1, here is my results /usr/lib/squid/wb_group -d -c /wb_group[22948](wb_check_group.c:321): External ACL winbindd group helper build Aug 29 2003, 15:06:10 starting up... /wb_group[22948](wb_check_group.c:324): Warning: running in case insensitive mode !!! DOMAIN\\user Group /wb_group[22948](wb_check_group.c:343): Got 'DOMAIN\\user Group' from Squid (length: 18). (old, working -- ERR is the correct response) /root/wb_group -d /wb_group[22949](wb_check_group.c:265): External ACL winbindd group helper build Oct 1 2002, 18:24:06 starting up... DOMAIN\\user Group /wb_group[22949](wb_check_group.c:285): Got 'DOMAIN\\user Group' from Squid (length: 8192). ERR Any ideas? Thanks in advance
Re: [squid-users] wb_group pop up
Henrik, Thanks so much that worked. Later. On Wed, 2003-08-20 at 17:23, Henrik Nordstrom wrote: On Wednesday 20 August 2003 23.24, Edward Mann wrote: I am running squid 2.5.STABLE3, samba 2.2.8a with wb_group. wb_group is working fine, but what i want to know is if there is a way that i can setup the configuration so that if the user is not in the group the wb_group helper will put them back to basic and IE will give them the login box? Squid can reject the login, asking for a new login. It is MSIE who decides if a login box is to be presented or not. Squid will reject the login if the request is denied by a authentication related acl (proxy_auth or proxy_auth_regex in Squid-2.5). When using external acls you can still make this happen by adding a proxy_auth type acl. acl all_users proxy_auth REQUIRED if you today have acl groupX external ... http_access allow ... groupX then add on the next line http_access deny ... !groupX all_users Regards Henrik
[squid-users] wb_group pop up
I am running squid 2.5.STABLE3, samba 2.2.8a with wb_group. wb_group is working fine, but what i want to know is if there is a way that i can setup the configuration so that if the user is not in the group the wb_group helper will put them back to basic and IE will give them the login box? They keep telling me that Microsoft proxy will do it, and they want to move to that unless i can get squid to work right. I really don't want to go to Microsoft proxy. Any help would be appreciated. Later.
Re: [squid-users] wb_group pop up
On Wednesday 20 August 2003 23.24, Edward Mann wrote: I am running squid 2.5.STABLE3, samba 2.2.8a with wb_group. wb_group is working fine, but what i want to know is if there is a way that i can setup the configuration so that if the user is not in the group the wb_group helper will put them back to basic and IE will give them the login box? Squid can reject the login, asking for a new login. It is MSIE who decides if a login box is to be presented or not. Squid will reject the login if the request is denied by a authentication related acl (proxy_auth or proxy_auth_regex in Squid-2.5). When using external acls you can still make this happen by adding a proxy_auth type acl. acl all_users proxy_auth REQUIRED if you today have acl groupX external ... http_access allow ... groupX then add on the next line http_access deny ... !groupX all_users Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: Res: Re: Res: Re: [squid-users] -- wb_group cache time
Hi! I'm using wb_ntlm_auth and wb_group and all works fine with W2k AD Try to start winbindd -n to disable winbind caching and set ttl=5, but it's not necessary. - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Alex Carlos Braga Antão [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:30 AM Subject: Re: Res: Re: Res: Re: [squid-users] -- wb_group cache time On Monday 18 August 2003 20.02, Alex Carlos Braga Antão wrote: Where do I find the wb_group helpers to squid work with Samba 3.0? The wbinfo based helper should work I think (helpers/external/wbinfo_group). The wb_auth and wb_ntlm_auth are both replaced by the Samba ntlm_auth helper in Samba-3, but I am not sure if there is a direct equivalence to wb_group yet. This is something to discuss with the Samba team. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Res: Re: [squid-users] -- wb_group cache time
Hello again, I have wb_group configured here, but I´m still getting some strange problems. I can browse with a user in the group Internet, but if I remove this user from the group, the user still can browse. I configure ttl=60 (1 minute) to test, but nothing happens. It only works if I restart SAMBA. If I type wb_group -d on the command line and type DOMAIN\\user group, it returns OK, even if the user is removed from the group. It seems winbind is caching the contents, but it is taking a long time to refresh. How can I configure to make it refresh the group contents every 5 minutes, for example ? here is my configuration : auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth DOMAIN auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes external_acl_type GrupoAD ttl=60 %LOGIN /usr/local/squid/libexec/wb_group acl UsuariosInternet proxy_auth REQUIRED acl GrupoInternetexternal GrupoAD internet http_access allow UsuariosInternet GrupoInternet http_access deny all Thanks, Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629 http://motoviagens.pagina.de http://e-modelismo.pagina.de Liberdade, fraternidade, igualdade... e, de vez em quando, velocidade!
Re: Res: Re: Res: Re: [squid-users] -- wb_group cache time
On Monday 18 August 2003 15.31, Alex Carlos Braga Antão wrote: What really means the negative_ttl on the external_acl How long to remember negative lookups, i.e. a user not being member of a group in case of group lookups. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: Res: Re: [squid-users] -- wb_group cache time
On Monday 18 August 2003 15.06, Alex Carlos Braga Antão wrote: I configure ttl=60 (1 minute) to test, but nothing happens. It only works if I restart SAMBA. Then the problem is somewhere in Samba. Most likely winbind has cached the group memberships, not querying the domain again. How can I configure to make it refresh the group contents every 5 minutes, for example ? See the Samba documentation if there is options to tune winbind. In Squid.conf you can only tune how often Squid asks winbind, not how long winbind remembers the users details. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Res: Re: Res: Re: [squid-users] -- wb_group cache time
Where do I find the wb_group helpers to squid work with Samba 3.0 ? Since I did not find anything about my cache that is not being refresh, I´d like to test with Samba 3.0, but the last test I did, I got some problems, and somebody said here to use the helpers to samba 3.0, and I did not found then... Thanks Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629 http://motoviagens.pagina.de http://e-modelismo.pagina.de A ÚNICA hora em que você tem combustível demais é quando você está pegando fogo. ---Mensagem original--- De: Henrik Nordstrom Data: segunda-feira, 18 de agosto de 2003 13:23:16 Para: Alex Carlos Braga Antão; [EMAIL PROTECTED] Assunto: Re: Res: Re: [squid-users] -- wb_group cache time On Monday 18 August 2003 15.06, Alex Carlos Braga Antão wrote: I configure ttl=60 (1 minute) to test, but nothing happens. It only works if I restart SAMBA. Then the problem is somewhere in Samba. Most likely winbind has cached the group memberships, not querying the domain again. How can I configure to make it refresh the group contents every 5 minutes, for example ? See the Samba documentation if there is options to tune winbind. In Squid.conf you can only tune how often Squid asks winbind, not how long winbind remembers the users details. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] .
Re: Res: Re: Res: Re: [squid-users] -- wb_group cache time
On Monday 18 August 2003 20.02, Alex Carlos Braga Antão wrote: Where do I find the wb_group helpers to squid work with Samba 3.0? The wbinfo based helper should work I think (helpers/external/wbinfo_group). The wb_auth and wb_ntlm_auth are both replaced by the Samba ntlm_auth helper in Samba-3, but I am not sure if there is a direct equivalence to wb_group yet. This is something to discuss with the Samba team. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] wb_group problem
wbinfo says: wbinfo -r username Could not get groups for user username wbinfo -r domain\username Could not get groups for user domain\username - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: ? [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 6:18 PM Subject: Re: [squid-users] wb_group problem On Wed, 13 Aug 2003, [koi8-r] áÌÅËÓÁÎÄÒ ýÅÒÂÁËÏ× wrote: I try to run wb_group -d... I give 'mydomain\user group' - fail with (wb_check_group.c:231) - Waring: Can't enum user groups. I give 'mydomain\\user group' - fail with same message. 'user group' - the same. What does wbinfo say about the group memberships of the user? Regards Henrik
Re: [squid-users] wb_group problem
Thank you. I'll try to solve this problem and then replay this list to finish this thread. - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Aleksandr Shcherbakov [EMAIL PROTECTED] Cc: Henrik Nordstrom [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 8:52 PM Subject: Re: [squid-users] wb_group problem On Wed, 13 Aug 2003, Aleksandr Shcherbakov wrote: wbinfo says: wbinfo -r username Could not get groups for user username wbinfo -r domain\username Could not get groups for user domain\username Then I think there is a problem with your winbind installation somewhere. Maybe it is not fully joined to the domain or something, I do not know. Try asking the Samba people what the problem may be. If the winbind installation does not work properly then the possibilities for Squid helpers which asks winbind to work is extremely slim.. Regards Henrik
Re: [squid-users] wb_group problem
wbinfo says: wbinfo -r username Could not get groups for user username wbinfo -r domain\username Could not get groups for user domain\username - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: ? [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 6:18 PM Subject: Re: [squid-users] wb_group problem On Wed, 13 Aug 2003, [koi8-r] aIAEOAIAO yAOAAEI? wrote: I try to run wb_group -d... I give 'mydomain\user group' - fail with (wb_check_group.c:231) - Waring: Can't enum user groups. I give 'mydomain\\user group' - fail with same message. 'user group' - the same. What does wbinfo say about the group memberships of the user? Regards Henrik
Re: [squid-users] wb_group problem
On Wed, 13 Aug 2003, Aleksandr Shcherbakov wrote: wbinfo says: wbinfo -r username Could not get groups for user username wbinfo -r domain\username Could not get groups for user domain\username Then I think there is a problem with your winbind installation somewhere. Maybe it is not fully joined to the domain or something, I do not know. Try asking the Samba people what the problem may be. If the winbind installation does not work properly then the possibilities for Squid helpers which asks winbind to work is extremely slim.. Regards Henrik
RE: [squid-users] wb_group
The only good way I can see to do this is to match against the authenticated username. Use a script to calculate which users in access.log are over their limit, then dump those to a file that you match on using a proxy_auth acl. acl overused proxy_auth /path/to/file Were already doing this. You can dump the first delay pool - it does nothing anyway. And I think you can remove the deny all from the second delay pool - users aren't added to delay pools by default. Having followed this instruction I amnow a happy boy! All is working as exepcted, users in the overused acl are being choked back to 33.3b/s and others are going full speed. Thanks all for the help, now to make backup copies of all these files (which I had neglected to do on the old server) cheers, Simon Bryan IT Manager OLMC Parramatta
[squid-users] wb_group problem
Hi! I want to use winbind authentication and control access via group (I have w2k domain - Active Directory). I configured smb (2-2-8a) and squid (2.5.STABLE3, compiled with samba sources) using http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5. I have added to smb.conf: winbind enum users = yes winbind enum groups = yes It works fine. I have tested IE (NTLM) and Opera (BASIC) authentication - OK. I try to run wb_group -d... I give 'mydomain\user group' - fail with (wb_check_group.c:231) - Waring: Can't enum user groups. I give 'mydomain\\user group' - fail with same message. 'user group' - the same. Squid was configured with: --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind --enable-external-acl-helpers=winbind_group and samba sources. Please help to solve problem. Thanks in advance. Aleksandr.
Re: [squid-users] wb_group problem
On Wed, 13 Aug 2003, [koi8-r] áÌÅËÓÁÎÄÒ ýÅÒÂÁËÏ× wrote: I try to run wb_group -d... I give 'mydomain\user group' - fail with (wb_check_group.c:231) - Waring: Can't enum user groups. I give 'mydomain\\user group' - fail with same message. 'user group' - the same. What does wbinfo say about the group memberships of the user? Regards Henrik
Re: [squid-users] wb_group problem
The problem was in Active Directory authentication (I think). I gave wbinfo -A domain\user%password to store user and password used by winbind. After that wbinfo -r username returned list of user groups (10004, 10005 for example) and wb_group returned OK. Now NTLM, BASIC authentication and GROUP using external acl works fine. Thanks. Regards Aleskandr. - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Aleksandr Shcherbakov [EMAIL PROTECTED] Cc: Henrik Nordstrom [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 8:52 PM Subject: Re: [squid-users] wb_group problem On Wed, 13 Aug 2003, Aleksandr Shcherbakov wrote: wbinfo says: wbinfo -r username Could not get groups for user username wbinfo -r domain\username Could not get groups for user domain\username Then I think there is a problem with your winbind installation somewhere. Maybe it is not fully joined to the domain or something, I do not know. Try asking the Samba people what the problem may be. If the winbind installation does not work properly then the possibilities for Squid helpers which asks winbind to work is extremely slim.. Regards Henrik
RE: [squid-users] wb_group
I finally remembered to check the cache log for details :-( arg. OK so the groups are being read correctly now. Good. This particular configuration leads to everyone at full speed, which is a better default option! For the 'overused' acl, should i be using external_auth or RFC391 User as the type (or indeed another type), it reads the relevant usernames from a text file on the server. I am trying to not use one of the wb_group acl's here. The only good way I can see to do this is to match against the authenticated username. Use a script to calculate which users in access.log are over their limit, then dump those to a file that you match on using a proxy_auth acl. acl overused proxy_auth /path/to/file You can dump the first delay pool - it does nothing anyway. And I think you can remove the deny all from the second delay pool - users aren't added to delay pools by default. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] wb_group
On Monday 04 August 2003 05.20, Simon Bryan wrote: Yes it works from the command line OK with that syntax. Does Squid do that automatically? If not how do you configure the acl? I have the following at the moment: acl winauth external wb_group wwwusers acl banned external wb_group banned acl staff external wb_group Teachers acl students external wb_group Students Looks fine, assuming the external_acl_type directive is correct and these groups are in the domain Samba has joined to. Squid sends whatever is defined as format in external_acl_type followed with whatever data you place in the acl. In case of wb_group this is %LOGIN from external_acl_type followed by one or more group names from acl. Note: If the groups is in a trusted domain then a fully qualified name needs to be specified (domain\group). wb_group from 2.5.STABLE3 or later supports fully qualified group names. Another thing to note is delay_access is not too happy about external acl types or other acl types which may require an external lookup of any kind. But it should work pretty good (but still not perfect) if you force the same acls to be evaluated in http_access. You can force acls to be evaluated in http_access by using a construct like this before where you allow the requests acl none src 0.0.0.0/32 http_access deny acl_to_evaluate none [repeat the http_access line for each acl to evaluate] Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] wb_group
I have this as my external_acl_directive: external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group -d Can you pass paramaters like that? eg could I use -c ? Yes - in fact, that's what I do. My config is: external_acl_type NT_global_group ttl=300 %LOGIN /opt/squid/libexec/wb_group -c acl ProxyUsers external NT_global_group AllowProxy Win2k Active Directory, single domain setup. Working perfectly. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] wb_group
Hmm, just noticed the -d in that line, don't know whether that has just slipped in while testing or not. There is a readme.txt in the winbind_group directory explaining the available command line options and required squid.conf syntax. I can't use the proxy from home so will check that out in the morning. Can you pass paramaters like that? eg could I use -c ? Yes. After the format specification is just a command line, and any command line options documented for the specific helper used may be used. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] wb_group
Henrik Nordstrom said: Another thing to note is delay_access is not too happy about external acl types or other acl types which may require an external lookup of any kind. But it should work pretty good (but still not perfect) if you force the same acls to be evaluated in http_access. I finally remembered to check the cache log for details :-( arg. OK so the groups are being read correctly now. (Is there a debug_level that will show delay_pool details in the log? Returning to the delay_pools problem My current delay_pool listing is below, and the logs would indicate that users are in the correct groups. This particular configuration leads to everyone at full speed, which is a better default option! For the 'overused' acl, should i be using external_auth or RFC391 User as the type (or indeed another type), it reads the relevant usernames from a text file on the server. I am trying to not use one of the wb_group acl's here. delay_pools 2 delay_class 1 3 delay_parameters 1 -1/-1 -1/-1 -1/-1 delay_access 1 deny overused delay_class 2 2 delay_parameters 2 -1/-1 3600/3600 delay_access 2 allow overused delay_access 2 deny all Simon Bryan IT Manager OLMC Parramatta
[squid-users] wb_group
Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta
RE: [squid-users] wb_group
As a general rule, it is worth including smb.conf portions as well as squid.conf portions to the list when troubleshooting winbind ACL's. I had a number of problems with wb_group that went away when I left out the winbind separator option in smb.conf. Also, use the group name, not the SID in the ACL. Also, try enabling greater debug info in the cache.log which might give more info on what's going wrong - unless you are certain the problem is the wb_group file giving the ERR, in which case squid is not the problem. Have a look in the wb_group.c source to see (it can be surprisingly readable, even for a non-programmer) what conditions cause this status to be generated. Regards, Tony -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 11:13 To: [EMAIL PROTECTED] Subject: [squid-users] wb_group Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta Downs MicroSystems Pty Ltd 145 Margaret Street Toowoomba Qld 4350 Ph. (07) 4639 3344 Fax (07) 4639 3820 Important Disclaimer and Warning Downs MicroSystems does not represent or warrant that any attached files are free from computer viruses or other defects. The attached files are provided, and may only be used, on the basis that the user assumes all responsibility for any loss, damage or consequences resulting directly or indirectly from use of the attached files. The liability of Downs MicroSystems in any event is limited to either the resupply of the attached files or the cost of having the attached files resupplied. NOTE: The views expressed by the individual in this message do not necessarily reflect those of the organisation. Downs MicroSystems is committed to protecting the privacy of individuals, and is bound by the principles of the Commonwealth Privacy Act (1988). Should you wish to view our Privacy Policy, please visit www.downsmicro.com.au. The information contained in this message is confidential and may be legally privileged. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, or reproduction is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
RE: [squid-users] wb_group
You need to supply the account name and the group to the wb_group helper. OK will be returned if the user provided is in the group provided. ie DOMAIN\\username Domain Users See if that helps Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 9:13 AM To: [EMAIL PROTECTED] Subject: [squid-users] wb_group Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta
RE: [squid-users] wb_group
Jay Turner said: You need to supply the account name and the group to the wb_group helper. OK will be returned if the user provided is in the group provided. ie DOMAIN\\username Domain Users See if that helps Yes it works from the command line OK with that syntax. Does Squid do that automatically? If not how do you configure the acl? I have the following at the moment: acl winauth external wb_group wwwusers acl banned external wb_group banned acl staff external wb_group Teachers acl students external wb_group Students Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 9:13 AM To: [EMAIL PROTECTED] Subject: [squid-users] wb_group Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta Simon Bryan IT Manager OLMC Parramatta
RE: [squid-users] wb_group
I think you have your ACL's wrong. That said I haven't tried it with multiple groups as you have. I use a file located on the file system to list my groups that I want to allow internet access to. I use an external file for listing the groups as you cannot list groups in squid.conf if they have a space in them (Domain Users for example) Below are the relevant excerpts from my squid.conf: snip== external_acl_type NTGroups %LOGIN /usr/lib/squid/wb_group acl InternetUsers external NTGroups /etc/squid/ntgroups-access acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers InternetUsers http_access deny all =end snip= where ntgroups-access contains: Domain Users Administrators **Note Make sure there is no blank line after the last listed NT group in the access file. Otherwise it doesn't work. Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 11:20 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] wb_group Jay Turner said: You need to supply the account name and the group to the wb_group helper. OK will be returned if the user provided is in the group provided. ie DOMAIN\\username Domain Users See if that helps Yes it works from the command line OK with that syntax. Does Squid do that automatically? If not how do you configure the acl? I have the following at the moment: acl winauth external wb_group wwwusers acl banned external wb_group banned acl staff external wb_group Teachers acl students external wb_group Students Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 9:13 AM To: [EMAIL PROTECTED] Subject: [squid-users] wb_group Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta Simon Bryan IT Manager OLMC Parramatta
RE: [squid-users] Wb_group upgrade question
My wb_group dies from time to time. It was built from 2.5.2. Can I just compile the wb_group external helper from 2.5.3 and replace the old one, or do I have to re-compile and replace squid also with 2.5.3 for the new wb_group to work? TIA. You might as well just fully install 2.5STABLE3, unless you have a specific reason not to. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001 attachment: winmail.dat
Re: [squid-users] Wb_group upgrade question
Hi, At 21.31 03/07/2003, Mark Pelkoski wrote: List, My wb_group dies from time to time. It was built from 2.5.2. Can I just compile the wb_group external helper from 2.5.3 and replace the old one, or do I have to re-compile and replace squid also with 2.5.3 for the new wb_group to work? TIA. -Mark You can use the 2.5 STABLE 3 helper with 2.5 STABLE 2, but the 2.5 STABLE 3 Squid version should be a more stable release. Regards Guido - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] wb_group wbinfo_group.pl
Hello, I am using samba 2.2.7 and squid 2.5-stable1. I need that only people belonging to specific NT groups can have access to the intranet, or our intranet,... I've failed to make it work with wb_group as external helper, but it is running fine with wbinfo_group.pl Is there any impact to use this helper rather than wb_group ? What are the main difference between these two helpers ? Thanks in advance, Lionel
Re: [squid-users] wb_group wbinfo_group.pl
On Friday 28 February 2003 10.52, [EMAIL PROTECTED] wrote: Hello, I am using samba 2.2.7 and squid 2.5-stable1. I need that only people belonging to specific NT groups can have access to the intranet, or our intranet,... I've failed to make it work with wb_group as external helper, but it is running fine with wbinfo_group.pl See the Squid FAQ for instructions on how to make the Squid winbind helpers if using Samba-2.2.7. You probably want to try with a current 2.5.STABLE nightly snapshot (or 2.5.STABLE2 when released). Is there any impact to use this helper rather than wb_group ? Should work fine. What are the main difference between these two helpers ? The internal implementation is very different. The functionality is mostly the same. Regards Henrik
[squid-users] wb_group space issue
Hi All, I have successfully got wb_group installed and running on my Squid2.5-STABLE1 install. I am having a problem with NT domains that have a space in them (Domain Users). I downloaded the squid-2.5.STABLE1-spaces.patch file and it appears to have applied correctly: patching file src/cache_cf.c Hunk #1 succeeded at 2433 (offset -5 lines). It's a new install so 'make distclean' is not required (i blow away my test machine completely when testing this stuff to be absolutely sure) After compiling and install I edit my acl to read: acl ProxyUsers external NTGroups Domain Users I still see: 2003/02/27 16:51:33| strtokFile: Domain not found in cache.log and requests are not processed: (wb_group)[11271](wb_check_group.c:285): Got 'mydomain\\jturner' from Squid (length: 8192). (wb_group)[11271](wb_check_group.c:187): SID: S-1-5-21-507187248-207029365-1082013118-513 (wb_group)[11271](wb_check_group.c:187): SID: S-1-5-21-507187248-207029365-1082013118-1013 Can someone please provide assistance into how I now get this to work. The patch listing on the website mentions the include function but I don't know what this is. Thanks Jay
