Before you move back to ISA, I think I can help. I was able to get it
to work by ensuring that the machine object in AD is pre-windows 2000
compatible, and also by disabling SMB signing at the DC (you have to do
that using the security templates). It occurred to me as I was reading
this that it may be possible to define some rules in your IPSec policy
that disable signing only for communication with the squid machines. I
haven't tried that, so I don't know if it would work (I am not even sure
it has that functionality), but it may be worth a try.
> -----Original Message-----
> From: narancs [mailto:narancs@narancs.tii.matav.hu]
> Sent: Wednesday, September 08, 2004 1:21 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] integrating squid/linux with windows
> 2003 domain controller and active directory
> Importance: High
>
>
> Dear All,
>
> We have this situation:
>
> 1. internet proxy for a company is a suse 9.0 linux dist with
> squid-2.5.STABLE3-110 2. proxy authentication is required 3.
> usernames/password should be taken from the company's
> windows' active directory 4. there are three groups of users:
> three different acls are required:
> - average joe user can only view some sites based on a list
> - leaders can view anything, but only http and https
> - sysadmins can ftp, too
> 5. group membership should also be taken from windows
> 6. pre-windows2000 protocols are not enabled because of
> security policy and requirements, maybe this is the reason
> why msnt_auth doesn't seem to work. On a DC that enables
> NT4's protocols, msnt_auth works. 7. both ldap_auth
> authenticators I couldn't get working, although I have seen
> the ldap tree scheme, maybe I was wrong understanding it.
>
> My question is:
> - does anybody have experience and tips how to get this working?
> - will ntlm_auth or msnt_auth work at all with w2k or newer
> when nt4's older ntlm and lanman is disabled?
> - can ldap_auth work with active directory?
Haven't tried it, but interesting question . . .
> - can we use group membership info somehow?
Yes, I have been able to get it to work using Samba and Winbind. I seem
to remember having to replace the wb_ files from Samba to Squid though,
one in particular was wb_group if I remember correctly. It has been a
while, so I am trying to remember.
> - is there any way to create a local (open)ldap replica based
> on the AD?
I don't have an answer to that one, although if it is possible, it could
allow for a range of other possibilities as well.
> - should we use pam_auth and pam_ldap instead? or kerberos?
I didn't need to go that far with it.
>
> I could't find good exaples on google yet, to help us get it right.
>
> If me and collegaues can't cope with it, we'll have to move
> back to MS ISA proxy, which personally I don't really like.
>
> thank you very much for your help people!
> with regards
> N.N.
Also, keep in mind I used Samba 2.x and Winbindd. That worked for me,
and I haven't tested out Samba 3 yet, although I hear it is a drastic
improvement. The thing about all of this is that it doesn't "just
work." You kinda have to tinker with it. The wb_ files that come with
Squid(correct me if I am wrong someone) don't always play nice with
whatever current version Samba you are running, so you either need to
get versions that match up, or you have to replace out the files. Maybe
someone on the list has more details than I do about that?
Thanks,
Mark
>
>
Received on Wed Sep 08 2004 - 08:57:17 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT