Hi, We are running Squid version: 2.5.STABLE13 and Samba version: Version 3.0.21b We have it setup to use NTLM to check that the user belongs to a group within the domain. The need has arrisen to be able to support multiple groups. Is this possible? Our squid.conf section: auth_param ntlm program /ntlm_auth.sh ntlmssp auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 20 auth_param ntlm use_ntlm_negotiate on auth_param basic program /ntlm_auth.sh basic auth_param basic children 20 auth_param basic realm SERVER.DOMAIN.CO.ZA Cache NTLM Authentication auth_param basic credentialsttl 2 hours Our smb.conf: [global] winbind separator = + winbind cache time = 10 workgroup=DOMAIN security=ads winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes realm=SERVER.DOMAIN.CO.ZA client ntlmv2 auth=yes Our ntlm auth line ($W will be either basic or ntlmssp per the squid config file): /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-$W--require-membership-of='DOMAIN+webusers' Now, I have a second group DOMAIN+managers that also needs to be allowed out and AD wont change it to have the same security group. Thanks, Ian
Felipe Augusto van de Wiel
2006-Sep-18 13:34 UTC
[Samba] Multiple Group checking using ntlm_auth
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2006 03:38 AM, Ian Barnes escreveu:> Hi, > We are running Squid version: 2.5.STABLE13 and Samba version: Version > 3.0.21b > > We have it setup to use NTLM to check that the user belongs to a group > within the domain. The need has arrisen to be able to support multiple > groups. Is this possible?Ok, I don't have a NTLM auth working but I have an idea. :)> Our squid.conf section: > auth_param ntlm program /ntlm_auth.sh ntlmssp > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > auth_param ntlm children 20 > auth_param ntlm use_ntlm_negotiate on > auth_param basic program /ntlm_auth.sh basic > auth_param basic children 20 > auth_param basic realm SERVER.DOMAIN.CO.ZA Cache NTLM Authentication > auth_param basic credentialsttl 2 hours > > Our smb.conf: > [global] > winbind separator = + > winbind cache time = 10 > workgroup=DOMAIN > security=ads > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind use default domain = yes > realm=SERVER.DOMAIN.CO.ZA > client ntlmv2 auth=yes > > Our ntlm auth line ($W will be either basic or ntlmssp per the squid config > file): > /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-$W--require-membership-of='DOMAIN+webusers'Is this a script? Can you pass a parameter to it? You could easily pass the 'require-membership-of' as a parameter of your script.> Now, I have a second group DOMAIN+managers that also needs to be allowed > out > and AD wont change it to have the same security group. > Thanks, > IanKind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFDqBoCj65ZxU4gPQRAiQaAKCs1CXTVsdT7DK2JaBNq6NorI829gCfTH9e /2YHoL9UqSs3CmhGMy0uSVY=C5pV -----END PGP SIGNATURE-----