Differences between version 6 and predecessor to the previous major change of SquidNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 6 | Last edited on Wednesday, September 15, 2004 3:09:10 pm | by LeonBreedt | Revert |
| Older page: | version 3 | Last edited on Thursday, June 24, 2004 5:41:00 pm | by CraigBox | Revert |
@@ -92,11 +92,11 @@
</pre>
!!Proxy Auth with [NTLM]
-A full working example on having a Squid proxy pick up user information from NTLM and a MicrosoftWindows ActiveDiretory
. This will allow anyone in the AD Group "Internet" to have full access to the internet, and anyone in "Domain Users" (and not in "Internet") to access sites in the "/etc/squid-allowedsites" file only.
+A full working example on having a Squid proxy pick up user information from NTLM and a MicrosoftWindows ActiveDirectory
. This will allow anyone in the AD Group "Internet" to have full access to the internet, and anyone in "Domain Users" (and not in "Internet") to access sites in the "/etc/squid-allowedsites" file only.
-If you are using InternetExplorer or newer [Mozilla] browsers, this will work transparently using NTLM Authentication. If you're using another browser and
you'll be prompted for a username and password.
+If you are using InternetExplorer or newer [Mozilla] browsers (on MicrosoftWindows)
, this will work transparently using NTLM Authentication. If you're using another browser (or are running [Linux]),
you'll be prompted for a username and password.
Using [Squid] 2.5STABLE3 and [Samba] 2.2.8a. Squid was recompiled with all winbind helpers and samba was recompiled with challenge-auth.
Initially we tried to use transparent proxying AND NTLM auth, as all indications were that this should work. In practice it does not - it seems there are bugs in squid which prevent this.
@@ -182,13 +182,31 @@
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
-#winbind separator = +
winbind use default domain = yes
winbind cache time = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
wins server = 10.7.0.114
wins proxy = yes
</verbatim>
+
+
+! Samba 3.x
+
+If you're using Samba 3.x, you can no longer use the Squid wb_* helpers. Instead, you have to use the Samba-supplied helpers themselves:
+
+<verbatim>
+# NTLM proxy auth
+auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
+
+# HTTP basic proxy auth
+auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
+</verbatim>
+
+Its a good idea to supply both NTLM and HTTP Basic authenticators so that non-IE browsers can use the
+proxy as well.
+
+You will also need to allow the user ID Squid is running as to write to the <tt>/var/lib/samba/winbindd_privileged</tt>
+directory or you will get authentication failures (with errors written to cache.log).
