[squid-users] I: [squid-users] Autorizzazione gruppi: wbinfo_group.pl

[Samantha Cicchelero]

Hi!

I'm having problem getting authentication with groups.  I'm using the helper that is 
part of samba 3.0, not the squid helper. Basic authentication e ntlm authentication 
work fine, but I cannot get wbinfo_group.pl working.

[Scenario]: box with redhat 9+ samba 3 + squid 2.5. STABLE4


Configuration of squid.conf

auth_param ntlm program /usr/local/samba/bin/ntlm_auth --debug-level= 10  
--helper-protocol=squid-2.5-ntlmssp --nt-response 
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 15 minutes
 authenticate_ttl 1 hour
external_acl_type wbinfo_group_helper ttl=300 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl gruppoInternet external wbinfo_group_helper -i "/etc/squid/gruppi/Internet"
acl password proxy_auth REQUIRED
http_access deny password !gruppoInternet
http_access deny all


The file /etc/squid/gruppi/Internet has the name of group. With samba 2.2.8a it works 
fine


Configuration of samba

#/usr/local/samba/lib/Smb.conf
 [global]
   workgroup = advnet
   server string = Samba Server on %v
   hosts allow = 192.168.150. 127.
   log file = /var/log/samba/%m.log
   max log size = 1000
   security = domain
   password server = srvadvnet
   encrypt passwords = yes
   smb passwd file = /usr/local/samba/private/smbpasswd
   interfaces = 192.168.150.250/24  
        domain master = no
        preferred master = no
        wins support = no
#********************winbindd************************
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-65000
idmap gid = 10000-65000
winbind enum users = yes
winbind enum groups = yes



Samba 3.00 ./configure --with-winbind --with-winbind-auth-challenge --with-msdfs --w
ith-smbwrapper --with-smbmount --with-pam_smbpass --with-nmbd


Squid2.5STABLE4: ./configure --enable-auth=basic,digest,ntlm 
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group 
--enable-kill-parent-hack --enable-err-language=italian




I've changed the permissions for the directory winbindd_priviledged and file pipe:
[EMAIL PROTECTED] locks]# ls -laF
drwxr-x---    2 root     squid        4096 20 nov 14:02 winbindd_privileged/
srwxrwxrwx    1 root     root            0 20 nov 14:02 pipe


I change the wbinfo_group.pl as 
http://itmanagers.net/posts10-0.html&postdays=0&postorder=asc&highlight= 

 [EMAIL PROTECTED] squid]# vi /usr/lib/squid/wbinfo_group.pl
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <[EMAIL PROTECTED]>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
#   Jerry Murdock <[EMAIL PROTECTED]>
#
# Version history:
#   2002-07-05 Jerry Murdock <[EMAIL PROTECTED]>
#               Initial release
#

# external_acl uses shell style lines in it's protocol
#require 'shellwords.pl';

# Disable output buffering
$|=1;

sub debug {
        # Uncomment this to enable debugging
        #print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group"`;
        chop  $groupSID;
        $groupGID = `wbinfo -Y $groupSID`;
        chop $groupGID;
        &debug( "User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   
-$groupGID-");
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

sub shellwords {
        local (@words, $user, $group);
        ($user = $1, $group = $2) if (s/.*\\(.*)\s(.*)//);
        push (@words, $user, $group);
        @words;
}

#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug ("Got $_ from squid");
        ($user, $group) = &shellwords;
        $ans = &check($user, $group);
        &debug ("Sending $ans to squid");
        print "$ans\n";
}


Thanks for all help.

Regards

Ps. : excuse me for the previous italian mail.

Samantha Cicchelero
ADVNET s.r.l.
Via Marco Corner, n. 19
36016 Thiene (VI)
ITALY
Phone +39 0445 371093
Fax�����+39 0445 371094
Web Site http://www.advnet.it
�
Ai sensi della Legge 675/96 si precisa che le informazioni contenute in questo 
messaggio sono riservate ed a uso esclusivo del destinatario. Qualora il messaggio in 
parola Le fosse pervenuto per errore, la preghiamo di eliminarlo senza copiarlo e di 
non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie.
This message for the law 675/96, may contain confidential and/or privileged 
information. If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based on this message 
or any information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for your 
cooperation.