So what you are doing is using the SMB authenticator to restrict "REQUIRED"
user to a subset of the customers valid NT users..
hmm interesting. I still think pulling the group membership from the PDC and
then basing your auth on that is the way to go. You could easily pull the
data in cron to squid and reconfigure on the fly at midnight or whenever.
The things I don't like about your solution (whilst it works...) are
a) it's user dependant. what if the user doesn't use the pac file? then they
have problems and won't understand why.
b) you are using a lot more resources on the squid box(s) because you have
two instances of squid running on each.
c) if that NT box your files are on goes down, or they want to go to
encrypted SMB links your squid service will stop... whereas authentication
alone can use multiple DC's (if the authenticator supports it)... see what
kinkie and I built for NT CHAP authentication. (not stable yet... (feedback
to both of us please).. but you could build the same functionality to
SMB_authenticator)
Rob
----- Original Message -----
From: "Moser Max (RTC)" <max.moser@rtc.ch>
To: "'Robert Collins'" <robert.collins@itdomain.com.au>
Sent: Friday, September 01, 2000 11:53 PM
Subject: AW: [SQU] Protocol dependend SMB_auth !! Got the solution. Maybe
you should add it to your faq.
Na, it worked like i said. I can have two different files on my netlogon
shares.
One file has permission read for Internetusers and one for FTPusers.
I got two instances of Squid running one on 8081 one on 8082 with two
different
squid.conf files. One allows http/https and verifies with smb_auth on one
file on the netlogonshare
and the other squid process uses smb_auth with the f option (other file) to
verify ftp users.
You see like this you have to enter differen proxy settings in the browsers,
and that i fix up with an .pac file at post 8080.
So the users browser get the .pac file.. when he want ftp he connects
automaticly to 8082 and if he wants http the .pac file redirects him to
8081.
That works with no clue.
One squid is up now i work on the second. the .pac file is also finished.
Next week i implement it. do u want my final solution then?
btw. exports etc from nt is not possible, the cosumer dont wont that.
greetings.
MAx
-----Ursprüngliche Nachricht-----
Von: Robert Collins [mailto:robert.collins@itdomain.com.au]
Gesendet am: Freitag, 1. September 2000 14:11
An: Moser Max (RTC); squid-users@ircache.net
Betreff: Re: [SQU] Protocol dependend SMB_auth !! Got the solution.
Maybe you should add it to your faq.
Max that is a very hard way to solve your problem....and it wont' address
your request to avoid separate auth files.
lets see if I have it right?
you want the members of inetuser to get http access and
the members of ftpusers to get ftp access?
Answer:
currently squid does NOT SUPPORT GROUP MEMBERSHIPS from the native user
database. That is SMB/NTLM/LDAP/Basic auth types are all group-ignorant. You
can emulate groups with the following syntax
acl inetusers proxy_auth sam john mary peter
or
acl inetusers proxy_auth "userfile"
to pull the details from a file.
do get the different list of users for each protocol use two proxyauth acl's
acl inetusers proxy_auth sam john mary
acl ftpusers proxy_auth sam mary
then
acl ftp proto ftp
acl http proto ftp
and finally
http_access allow http inetusers
http_access allow ftp ftpusers
http_access deny all
should give you one instance of squid, different users allowed ftp and http,
and no separate files (allthough you can use group files (for example
exported from your PDC) if you want).
You could also write an export module to get the group membership from the
DC and extend squid (bigger project though).
Rob
----- Original Message -----
From: "Moser Max (RTC)" <max.moser@rtc.ch>
To: <squid-users@ircache.net>
Sent: Friday, September 01, 2000 6:11 PM
Subject: [SQU] Protocol dependend SMB_auth !! Got the solution. Maybe you
should add it to your faq.
> My prob was that i have some NT groups (lets say:Inetusers and Ftpusers).
> I dont want an additional authorisation file etc. So i checked smb_auth.
> Because Squid only pass User and PAssword to an external authentication
> Programm
> it would not be possible to use one Authmethod for FTP and one for HTTP.
>
> After a long toilett meeting i got an idea.
>
> Yo can solf it like this:
>
> You got a PDC/BDC a Proxy with 2 Squid running on it and an apache on it.
>
> So configure it like this.
>
> Install the Apache on port 8080 and add as default file the Autoconfig.pac
> file. i will post mine if you all want.
> then you install one squid on port 8081 for http and one squid on 8082 for
> ftp. now you can define 2 different configs
> for those squids one that veryfies with smb_auth the ftp and one that do
> taht for http. thats is i guess that should
> work.
>
> I will inform you bout my config and tests in detail if you want.
>
> Greetings
>
> Max
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Sep 01 2000 - 15:55:02 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:11 MST