The following is in the SQUID FAQ so I thought I would try it anyway (I currently have Samba 2.2.5), however in the Squid directories there is no winbindd_nss.h file and in the 'helper/external_acl' directory there is no wb_group directory
In the snapshot from 20030123, the winbindd_nss file exists in the first two directories but the wb_group directory is also not there. Have there been changes in this area and if so woudl they be effecting my problem? Have re-built with the 20030123 snapshot but there is no change. "Squid-2.5.STABLE1 works with Samba 2.2.4 or 2.2.5. Samba With Samba 2.2.6, the winbindd interface changed and Squid 2.5.STABLE1 will not work as distributed. Replacing the winbindd_nss.h file in Squid's helpers/basic_auth/winbind, helpers/ntlm_auth/winbind and helpers/external_acl/wb_group/ directories with the version in Samba's source/nsswitch drectory is needed for the helpers to work properly." > -----Original Message----- > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] > Sent: Tue, 18. February 2003 9:07 AM > To: [EMAIL PROTECTED] > Subject: Re: [squid-users] Winbind and Windows groups > > > Looks fine from what I can tell, and should work.. > > But your http_access rules is a bit complex I think, but no > immediately obvious errors except for the "allow CONNECT ..." thing > which may override later filters if using https://.. > > Regards > Henrik > > > > On Monday 17 February 2003 22.19, you wrote: > > yes, I have the following: > > > > auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth > > auth_param ntlm children 20 > > auth_param ntlm max_challenge_reuses 0 > > auth_param ntlm max_challenge_lifetime 2 minute > > > > auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U > > 10.192.0.11 auth_param basic children 5 > > auth_param basic realm Poxy server at OLMC > > auth_param basic credentialsttl 1 hour > > > > and from below: > > authenticate_ttl 1 hour > > acl password proxy_auth REQUIRED > > http_access deny all !password > > > > and the logs show the username as domain\username > > > > I take it that this should work then? > > > > > -----Original Message----- > > > From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] > > > Sent: Tue, 18. February 2003 2:06 AM > > > To: [EMAIL PROTECTED] > > > Cc: Squid-Users > > > Subject: Re: [squid-users] Winbind and Windows groups > > > > > > > > > Have you also configured authentication? (auth_param ...) > > > > > > The group helpers are only responsible for verifying group > > > membership, and relies on the authentication helper(s) to first > > > verify the username and password. > > > > > > Regards > > > Henrik > > > > > > mån 2003-02-17 klockan 06.11 skrev Simon Bryan: > > > > Hi all, > > > > I have sorted out most of my winbind problems at least at Samba > > > > > > - command > > > > > > > line level. However I still cannot get Squid to recognise the > > > > > > groups. The > > > > > > > relevant kines from my Squid.conf file are below. > > > > Note that wbinfo -u returns the users, wbinfo -g returns the > > > > > > groups from the > > > > > > > domain, if I feed a correct domain+username groupname to > > > > > > wb_group it returns > > > > > > > 'OK' or 'ERR' as the case may be. > > > > Is there anything wrong in my conf file that is obvious, or can > > > > I not do this yet? > > > > > > > > Using SQUID snapshot from 13th Feb 03 > > > > > > ***************************************************************** > > >* ********* > > > > > > > external_acl_type wb_group %LOGIN > > > > /usr/local/squid/libexec/wb_group acl winauth external wb_group > > > > wwwusers > > > > acl staff external wb_group Teachers > > > > acl students external wb_group Students > > > > authenticate_ttl 1 hour > > > > authenticate_ip_ttl 300 seconds > > > > > > > > > > > > #a list of webmail domains from Dansguardian > > > > acl webmail dstdomain > > > > "/etc/dansguardian/blacklists/mail/domains" > > > > > > > > #some regex expressions that used to work OK with IP based acls > > > > acl webmail2 urlpath_regex "/usr/local/squid/acls/webmailregex" > > > > > > > > acl password proxy_auth REQUIRED > > > > > > > > #using this as a test, if I make it a http_access deny TEST all > > > > it works acl TEST dstdomain .passport.com > > > > > > > > > > > > http_access deny redworm > > > > http_access deny FTPDownloads PUT > > > > http_access deny banned-url > > > > http_access allow manager localhost > > > > http_access deny manager > > > > http_access deny CONNECT !SSL_ports > > > > http_access allow CONNECT SSL_ports > > > > http_access deny !Safe_ports > > > > http_access deny to_localhost > > > > http_access deny all !password > > > > http_access deny students TEST > > > > http_access deny students webmail webmail2 > > > > http_access allow local_servers > > > > http_access allow FTPDownloads > > > > http_access allow our_networks > > > > http_access allow olmcwarnings > > > > > > > > #And finally deny all other access to this proxy > > > > http_access allow all > > > > > > ***************************************************************** > > >* ********** > > > > > > > ************** > > > > _________________________________________ > > > > Simon Bryan > > > > IT Manager > > > > OLMC Parramata > > > > ICQ#: 137562751 > > > > _________________________________________ > > > > > > -- > > > Henrik Nordstrom <[EMAIL PROTECTED]> > > > MARA Systems AB, Sweden