This will allow anyone in the AD Group "Internet" to have full access to the internet, and anyone in "Domain Users" (and not in "Internet") to access sites in the "/etc/squid-allowedsites" file only.
If you are using IE, this will work transparently using NTLM Authentication. If you're using another browser and you'll be prompted for a username and password.
Using Squid 2.5STABLE3 and Samba 2.2.8a. Squid was recompiled with all winbind helpers and samba was recompiled with challenge-auth.
Initially we tried to use transparent proxying AND NTLM auth, as all indications were that this should work. In practice it does not - it seems there are bugs in squid which prevent this.
After installation of all packages and config files, samba must be joined to the domain with the command "smbpasswd -j DOMAIN -r PDC -U Administrator" - this will prompt you for the admin password.
At every boot, samba and winbind must be started, and winbind must auth to the domain with the command: "winbind -A DOMAIN\\Administrator%password".
Config files:
hierarchy_stoplist cgi-bin ? auth_param ntlm program /usr/lib/squid/wb_ntlmauth -d auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program /usr/lib/squid/wb_auth -d #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl all src 0.0.0.0/0.0.0.0 acl allsites dst 0/0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 192.168.99.0/255.255.255.0 acl allowedsites dstdomain "/etc/squid-allowedsites" external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -c acl FullUsers external NT_global_group "/etc/squid-fullusers" acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT #acl purge method PURGE #acl CONNECT method CONNECT #http_access allow manager localhost #http_access deny manager #http_access allow purge localhost #http_access deny purge #http_access deny CONNECT !SSL_ports #http_access allow localhost #http_access allow localnet http_access allow allowedsites http_access allow FullUsers http_access deny all icp_access allow all visible_hostname firewall.example.co.nz
.foo.bar .foo.bar.baz
Internet
(These are checked against groups only)
#======================= Global Settings ======================= [global] workgroup = EXAMPLE password server = ADSNAME security = domain encrypt passwords = true winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes #winbind separator = + winbind use default domain = yes winbind cache time = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 wins server = 10.7.0.114 wins proxy = yes
6 pages link to SquidNotes: