> Gavin, > I know how you feel I battled with winbind and these problems for ages and > finally it all worked. Below is the relevant parts of my squid.conf.
I'm /almost/ there :) winbindd now seems to work fine, and I can successfully limit squid access only to those who authenticate using NTLM... those currently logged into the domain see no pop-up password prompt, and those roaming can just tap in their on-site user/password/domain into the box... However, the grail is to achieve two things: 1) Members of the 'Domain Admins' group are allowed proxy access to any site, at any time of day 2) All other authenticated users are only permitted to use a set list of websites during office hours. At present, if I reference anything relating to NT groups, I just get 'Access Denied' from squid.. Here's my entire squid.conf for 2.5.STABLE2, verbatim: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param ntlm program /usr/lib/squid/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group acl domainadmins external NT_global_group "Domain Admins" acl domainmember proxy_auth REQUIRED acl localhost src 127.0.0.1/255.255.255.255 acl lan src 80.76.192.0/255.255.255.0 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl morning time MTWHF 09:00-12:59 acl afternoon time MTWHF 14:00-16:59 acl whitelist dstdomain "/etc/squid.whitelist" http_access allow localhost # admins should get full access, whenever, wherever. http_access allow domainmember domainadmins # non-admins can only look at certain sites during office hours ... http_access deny domainmember morning !whitelist http_access deny domainmember afternoon !whitelist # ... and all sites outside office hours. http_access allow domainmember # non-auth'd users get nada http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- As it stands, this config does not work as I want because members of 'Domain Admins' group are assigned the same privileges as normal NTLM-auth'd users. I don't understand this, because: wintermute:~# /usr/lib/squid/wb_group floss "Domain Admins" OK I've also tried surrounding the Domain Admins group name with single and double-quoted in squid.conf, but this has made no difference As always, I'm interested in suggestions :) Cheers, Gavin.
