Rodolphe A.
2006-Jun-26 07:33 UTC
[Samba] samba 3.0.20 + squid 2.5 : automatic logon with internet explorer
hello, samba is setup PDC with ldap client : windows xp pro sp2 server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard is it possible to create an automatic logon with internet explorer ? perhaps with ntlm_auth, but i can't find the good sentence. thanks.
Robert Schetterer
2006-Jun-26 08:56 UTC
[Samba] samba 3.0.20 + squid 2.5 : automatic logon with internet explorer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodolphe A. schrieb:> hello, > > samba is setup PDC with ldap > > client : windows xp pro sp2 > server : samba 3.0.20 + openldap 2.2 + squid 2.5stable14 + squidGuard > > is it possible to create an automatic logon with internet explorer ? > > perhaps with ntlm_auth, but i can't find the good sentence. > > > thanks. > > > >Hi, i ve did right this and i works now perfekt for nearly a year. But you have many choises to realize this. The setup which will include all possible features with a smb pdc ( with ldap )is like this. If you use firefox or ie with the automatic search proxy setting the search to files like proxy.dat , proxy.pac wpad.dat on a webserver on the gateway of the lokal network, these files held the data which where the browser will find the proxy. Additional you hav to have entries in you internal dns like wpad.tcp SRV 0 0 80 wpad wpad A 192.168.110.1 TXT "service: wpad:!http://intranet.gundk.intern:80/proxy.pac" and on the internal dhcp server like this option wpad code 252 = text; option wpad "http://192.168.110.1/proxy.pac\n"; you can find faqs an doku about this on the squid side. I have implemented different groups in the win domain like wwwuser , which can join the internet via proxy , and a group filteroveride to join directly www without using squidguard ( for admins etc ). So you can manage the groups out from usrmgr. so i have entries like this in squid.conf # user group which are allowed to access the internet in general auth_param ntlm program /usr/bin/ntlm_auth - --helper-protocol=squid-2.5-ntlmssp - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001 auth_param basic program /usr/bin/ntlm_auth - --helper-protocol=squid-2.5-basic - --require-membership-of=S-1-5-21-3962140368-478742891-1658383817-3001 auth_param basic children 5 # auth_param ntlm use_ntlm_negotiate on # auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 15 minutes auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl user proxy_auth REQUIRED http_access allow user #pam auth agains a system group works here too (nss_ldap), we use it to overide the redirector vor vips external_acl_type unix_group %LOGIN /usr/sbin/squid_unix_group -g wwwdirect acl direct external unix_group wwwdirect redirector_access deny direct always_direct allow direct http_access allow direct as you see i used the sid of the nt groups , cause their names didint work, to overide the squidgauard i use a system group which is tha same as a nt group cause there is mapping over nss_ldap ( other setups may be better but this works ) the i configured winbind to use the lokal smb pdc ( just join your own domain )...im not sure why i did this but i think it was a must with squid , squid must run with a user that is able to join the winbind socket ( see squid, samba doku ) After all you need a few iptables rules to forbid bypass the proxy. note you cant use squid auth with a transparent proxy squid setup! But if you dont need auth and the group stuff a setup with a squid transparent proxy and iptables is much more easy to implement automatic filtering ( see squid faqs how to do this ), if you do so you can only manage things with the source ip of the client computer , but not by user name or group auth. ( dont copy and paste this , read the faqs ) Best Regards - -- Mit freundlichen Gruessen Best Regards Robert Schetterer robert_at_schetterer_dot_org Munich / Bavaria / Germany https://www.schetterer.org https://www.schetterer.com/public-gpg-robert-schetterer.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEn6DeNxddAhXBw7QRAg3UAJ4rvf4cloRykMkbpWoyfEK+EEeRkQCfQB+s kf/FSvVp4RbIfgdY6pj1Hmw=RYf+ -----END PGP SIGNATURE----- -- Diese Nachricht wurde auf Viren und andere gef?hrliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber.