On Tue, 2003-04-01 at 11:42, Gavin Hamill wrote: > > Gavin, > > I know how you feel I battled with winbind and these problems for ages and > > finally it all worked. Below is the relevant parts of my squid.conf. > > I'm /almost/ there :) winbindd now seems to work fine, and I can > successfully limit squid access only to those who authenticate using NTLM... > those currently logged into the domain see no pop-up password prompt, and > those roaming can just tap in their on-site user/password/domain into the > box... > > However, the grail is to achieve two things: > > 1) Members of the 'Domain Admins' group are allowed proxy access to any > site, at any time of day > 2) All other authenticated users are only permitted to use a set list of > websites during office hours. > > At present, if I reference anything relating to NT groups, I just get > 'Access Denied' from squid.. > > Here's my entire squid.conf for 2.5.STABLE2, verbatim: > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > > auth_param ntlm program /usr/lib/squid/wb_ntlmauth > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > > external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group > acl domainadmins external NT_global_group "Domain Admins" > > acl domainmember proxy_auth REQUIRED > > acl localhost src 127.0.0.1/255.255.255.255 > > acl lan src 80.76.192.0/255.255.255.0 > > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 # https > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl purge method PURGE > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > acl morning time MTWHF 09:00-12:59 > acl afternoon time MTWHF 14:00-16:59 > acl whitelist dstdomain "/etc/squid.whitelist" > > http_access allow localhost > > # admins should get full access, whenever, wherever. > http_access allow domainmember domainadmins > > # non-admins can only look at certain sites during office hours ... > http_access deny domainmember morning !whitelist > http_access deny domainmember afternoon !whitelist > # ... and all sites outside office hours. > http_access allow domainmember > > # non-auth'd users get nada > http_access deny all > > http_reply_access allow all > > icp_access allow all > coredump_dir /var/spool/squid > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > As it stands, this config does not work as I want because members of 'Domain > Admins' group are assigned the same privileges as normal NTLM-auth'd users. > I don't understand this, because: > > wintermute:~# /usr/lib/squid/wb_group > floss "Domain Admins" > OK > > I've also tried surrounding the Domain Admins group name with single and > double-quoted in squid.conf, but this has made no difference > > As always, I'm interested in suggestions :)
Hi Gavin, Brian O'Neill submitted a patch in November to allow you to use `Domain Admins`, because you can't do it with spaces (as you've discovered). It's down to the passing around between squid.conf and the ACL helper. I don't know if it made it in, but you could give it a go. HTH, HAND Greg. -- No keyboard present Hit F1 to continue Zen engineering?
signature.asc
Description: This is a digitally signed message part
