Would this be the same for Squid 3 enviroment??? Or does one ONLY use winbind?
> > Hi Everyone, > > Here's just a few notes and a quick "how to" for enterprises looking towards > migrating a (sizeable) Microsoft proxy and ISA infrastructure to Squid. Our > requirements were to produce a Linux, Squid and Samba solution that > provided; > > 1. Transparent authentication of IE clients > 2. ACL's based on membership of domain NT group > 3. Support for traversing trusted domains (e.g. a resource domain model) > > We have managed to achieve this in a test environment where; > > -> The squid proxy is a member server in the Resource domain > -> Our test users reside in domains trusted by the Resource domain > -> Resource domain contains a domain local group RESOURCE\ProxyFullAccess > -> Group RESOURCE\ProxyFullAccess contains user accounts from the trusted > domains > -> The Samba3 supplied ntlm_auth helper is used by "auth_param ntlm ..." > -> The Squid supplied wbinfo_group.pl is used by "external_acl_type ... " > -> Squid proxy has an ACL to allow http_access for RESOURCE\ProxyFullAccess > > We have used Samba 3.0.0rc2 and Squid-2.5-STABLE3 in our test environment. > Andrew Tridgell of the Samba team provided us with a patch to make Samba > domain local group aware WITHOUT having to be a DC for that domain. This > patch can be found at > http://samba.org/ftp/tridge/misc/samba3_local_groups.patch > > A quick "How To" for your own transparently authenticated, trusted-domain > aware Squid proxy; > > 1. Download Samba-3.0.0rc2 and download the samba3_local_groups patch from > the URL above > 2. Patch the Samba source and then ./configure --with-winbind > --with-winbind-auth-challenge, make and make install > 3. Using the 'net join' command, join your resource domain, configure > smb.conf as appropriate > 4. Start the nmbd daemon. Start the winbindd daemon (test using wbinfo - you > can also start winbindd with a "-i" for interactive mode) > 5. Download Squid-2.5.STABLE3 and then ./configure --enable-auth=basic,ntlm > --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB > --enable-ntlm-auth-helpers=SMB,fakeauth --enable-ntlm-fail-open > --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group > then make and make install > 6. Relevant squid.conf bits > > auth_param ntlm program /opt/squid/lib/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp -d 3 > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > > external_acl_type ntgroup_helper %LOGIN /opt/squid/lib/wbinfo_group.pl > acl proxyfullaccess external ntgroup_helper RESOURCE\ProxyFullAccess > > http_access allow proxyfullaccess > http_access deny all > > 7. Find the location of the winbindd_privileged pipe and chgrp squid (or > your cache_effective_group from squid.conf) > 8. Kill any running samba daemons and start them (always) in this order - > nmbd, winbindd and then squid > > And that's it! I hope this post helps someone else with a similar goal. > > (Many thanks to Tridge from the Samba team!) > > > > Andrew Wilshire > IBM / Air New Zealand > [EMAIL PROTECTED] > > ____________________________________________________________________ > CAUTION - This message may contain privileged and confidential > information intended only for the use of the addressee named above. > If you are not the intended recipient of this message you are hereby > notified that any use, dissemination, distribution or reproduction > of this message is prohibited. If you have received this message in > error please notify Air New Zealand immediately. Any views expressed > in this message are those of the individual sender and may not > necessarily reflect the views of Air New Zealand. > _____________________________________________________________________ > For more information on the Air New Zealand Group, visit us online > at http://www.airnewzealand.com > _____________________________________________________________________
