Re: [squid-users] Need help in integrating squid and samba

From: Avinash Rao <avinash.aol_at_gmail.com>
Date: Wed, 9 Sep 2009 12:02:33 +0530

On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> Avinash Rao wrote:
>>
>> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>>>
>>> Avinash Rao wrote:
>>>>
>>>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>>>> wrote:
>>>>>
>>>>> Avinash Rao wrote:
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: Avinash Rao <avinash.aol_at_gmail.com>
>>>>>> Date: Tue, Sep 8, 2009 at 11:13 AM
>>>>>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
>>>>>> To: Amos Jeffries <squid3_at_treenet.co.nz>
>>>>>> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>,
>>>>>> squid-users_at_squid-cache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>>>> wrote:
>>>>>>>
>>>>>>> Avinash Rao wrote:
>>>>>>>>
>>>>>>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>>>>>>
>>>>>>>>> Avinash Rao wrote:
>>>>>>>>>
>>>>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>>>>>
>>>>>>>>> <henrik_at_henriknordstrom.net
>>>>>>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>>>>>>>
>>>>>>>>>>  sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>>>>>>  > I couldn't find any document that shows me how to enable wb_info
>>>>>>>>>>  for squid.
>>>>>>>>>>  > Can anybody help me?
>>>>>>>>>>
>>>>>>>>>>  external_acl_type NT_Group %LOGIN
>>>>>>>>>>  /usr/local/squid/libexec/wbinfo_group.pl
>>>>>>>>>>
>>>>>>>>>>  acl group1 external NT_Group group1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  then use group1 whenever you want to match users belonging to that
>>>>>>>>>>  Windows group.
>>>>>>>>>>
>>>>>>>>>>  Regards
>>>>>>>>>>  Henrik
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi Henrik,
>>>>>>>>>>
>>>>>>>>>> I have used the following in my squid.conf
>>>>>>>>>>
>>>>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>>>>>>>
>>>>>>>>> group1 external NT_Group staff
>>>>>>>>>>
>>>>>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>>>>>> http_access allow net
>>>>>>>>>>
>>>>>>>>>> On my linux server, I have created a group called staff and made a
>>>>>>>>>> couple
>>>>>>>>>
>>>>>>>>> of users a member of this group called staff. My intention is to
>>>>>>>>> provide
>>>>>>>>> access to users belonging to group staff on all days from morning 9am
>>>>>>>>> -
>>>>>>>>> 7PM.
>>>>>>>>> The rest should be denied.
>>>>>>>>>>
>>>>>>>>>> But this didn't work, when the Samba users login from a winxp
>>>>>>>>>> client,
>>>>>>>>>> it
>>>>>>>>>
>>>>>>>>> doesn't get access to internet at all.
>>>>>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>>>>>
>>>>>>>>> And _everybody_ (me included on this side of the Internet) is allowed
>>>>>>>>> to use
>>>>>>>>> your proxy between 9am ad 6pm.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Amos
>>>>>>>>
>>>>>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>>>>>> I didn't understand your second statement, are u telling me that i
>>>>>>>> should deny access to net?
>>>>>>>
>>>>>>> You should combine the ACL with others on an http_access line so that
>>>>>>> its
>>>>>>> limited to who it allows.
>>>>>>>
>>>>>>> This:
>>>>>>>  acl net time M T W T F S S 9:00-18:00
>>>>>>>  http_access allow net
>>>>>>>
>>>>>>> simply says "all requests are allowed between time X and Y".
>>>>>>> Without additional controls, ie on IP address making the request,  you
>>>>>>> end up with an open proxy.
>>>>>>>
>>>>>>> Amos
>>>>>>
>>>>>> Dear Amos,
>>>>>>
>>>>>> I am still not able to get this working.  Here's what i want to
>>>>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>>>>>> and LTSP users. All users use squid proxy. My intention is to control
>>>>>> the samba users from accessing the internet at certain times.
>>>>>>
>>>>>> If i don't use the external_acl_type NT_Group as mentioned below, the
>>>>>> squid works properly for all users, even windows and anybody using
>>>>>> squid proxy.
>>>>>>
>>>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>>>>>> wbinfo_group.pl
>>>>>> acl group1 external NT_Group group1
>>>>>> I have created a group called staff using net rpc command and i am i
>>>>>> have made all the users using winxp a member of this group staff. So,
>>>>>> my acl will look like
>>>>>>
>>>>>> external_acl_type NT_Group %LOGIN
>>>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>>>> acl acl_name external NT_Group staff
>>>>>> http_access allow staff
>>>>>>
>>>>>> According to my understanding, it should allow only those samba users
>>>>>> which come under the group staff. But thats not happening, squid
>>>>>> denies access to the internet.
>>>>>
>>>>> _when tested_ it should be doing that. Other rules around it have an
>>>>> effect
>>>>> that you may have overlooked.
>>>>>
>>>>> Then again the group name is case-sensitive. The helper is OS access
>>>>> permission sensitive, and NTLM auth has difficulties all of its own.
>>>>>
>>>>>
>>>>> I'll need to see the whole access config to know whats going on. And
>>>>> remind
>>>>> me what version of Squid this is.
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>> hi,
>>>>
>>>>
>>>> root_at_sunbox:/etc/squid# dpkg -l | grep squid
>>>> ii  squid                                 2.6.18-1ubuntu3
>>>>                       Internet object cache (WWW proxy cache)
>>>> ii  squid-common                          2.6.18-1ubuntu3
>>>>                       Internet object cache (WWW proxy cache) - co
>>>>
>>>> squid.conf
>>>>
>>>> visible_hostname sunbox
>>>> hierarchy_stoplist cgi-bin ?
>>>> acl QUERY urlpath_regex cgi-bin \?
>>>> no_cache deny QUERY
>>>
>>> use:  cache deny QUERY
>>>
>>>> hosts_file /etc/hosts
>>>> http_port 10.10.10.200:3128
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern . 0 20% 4320
>>>>
>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>>>> acl staffgroup external NT_Group staff
>>>>
>>>> acl all src 0.0.0.0/0.0.0.0
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl SSL_ports port 443 563
>>>> acl Safe_ports port 80                # http
>>>> acl Safe_ports port 21                # ftp
>>>> acl Safe_ports port 443 563           # https, snews
>>>> acl Safe_ports port 70                # gopher
>>>> acl Safe_ports port 210               # wais
>>>> acl Safe_ports port 1025-65535        # unregistered ports
>>>> acl Safe_ports port 280               # http-mgmt
>>>> acl Safe_ports port 488               # gss-http
>>>> acl Safe_ports port 591               # filemaker
>>>> acl Safe_ports port 631               # cups
>>>> acl Safe_ports port 777               # multiling http
>>>> acl Safe_ports port 901               # SWAT
>>>> acl Safe_ports port 993               # IMAP
>>>> acl Safe_ports port 587               # SMTP
>>>> acl Safe_ports port 22                # SSH
>>>> acl purge method PURGE
>>>> acl special_urls url_regex "/etc/squid/squid-noblock.acl"
>>>> acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
>>>
>>> File extensions?
>>>  --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$
>>>
>>>
>>>> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
>>>> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
>>>
>>> So "prexel.com" is a bad URL?
>>>
>>> Be VERY careful with regex matching. Avoid where possible.
>>>
>>> The mp3/mp4/exe bits can be moved to the bad extension list.
>>>
>>> The youtube and orkut stuff should be a dstdomain ACL type with a wildcard
>>> list of their domains:  dstdomain .youtube.com .yimg.com
>>>
>>> (I'm not sure what the full range of orkut domains are).
>>>
>>>> acl lan src 192.168.1.0 10.10.10.0/24
>>>> acl stud ident_regex babu
>>>> acl download method GET
>>>> acl CONNECT method CONNECT
>>>> cache_mem 100 MB
>>>> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
>>>> ident_lookup_access allow all
>>>> http_access allow staffgroup
>>>
>>> For testing I hope. Okay, so staffgroup should have unlimited proxy access
>>> form anywhere in the world. If they happen to send their login information
>>> to random machines (including Squid) without being asked to.
>>>
>>> I think you need to try:
>>>
>>>  acl authUsers proxy_auth REQUIRED
>>>  http_access deny !authUsers
>>>  http_access allow staffgroup
>>>
>>> You also need a set of auth_param settings to actually retrieve the login
>>> details. wbinfo does not work without them.
>>>
>>>
>>> Also, check the default user your Squid runs under is properly a member of
>>> the winbind group in the OS security settings.
>>> wbinfo requires access to the winbind data which gets dynamically created,
>>> so hacking around with chown does not work.
>>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access allow purge localhost
>>>> http_access allow special_urls
>>>> http_access deny extndeny download
>>>
>>> The above line merely doubles the server CPU load from the extndeny regex
>>> test.
>>>
>>> The one below does the same thing for non-"download" stuff.
>>>
>>>> http_access deny extndeny
>>>> http_access deny purge
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>
>>> Well, the two lines above really should be the first two http_access lines
>>> in the config. They catch a huge amount of bad requests in a very efficient
>>> way.
>>>
>>>> http_access deny badurl
>>>> http_access deny malware_block_list
>>>> deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
>>>> http_access allow localhost
>>>> http_access allow lan
>>>> http_access deny all
>>>> http_reply_access allow all
>>>> icp_access allow all
>>>> coredump_dir /var/spool/squid
>>>>
>>>>
>>>> Thanks
>>>> Avinash
>>>
>>> Amos
>>> --
>>> Please be using
>>>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>>  Current Beta Squid 3.1.0.13
>>>
>>
>>
>>
>> Thanks again, i will go through this and let you know the results.
>>
>> Regards,
>> Avinash
>
> After all that I forgot to say now to link the staffgroup and net ACLs.
>
> Not difficult though:
>  acl net time 9:00-18:00
>  http_access allow net staffgroup
>
> (assuming you did want the access limited 7 days a week)
> If only specific days were wanted note that the day codes are made into a single word SMTWHFA etc (no spaces)
>  and also H = thursday and A = saturday.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>  Current Beta Squid 3.1.0.13

Amos,

Below is my updated squid.conf.
All the options are working except matching the NT or Unix groups.

I made the following changes just to check if its working.

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5

external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl
acl staffgroup external NT_Group staff
acl student time 9:00-11:00

http_access deny !AuthUsers
http_access allow staffgroup
http_access allow student staffgroup

Here's what is happening. All the other options are working except the above.
I logged in to the samba domain from a WinXP client at 11:30 AM but
the client was still able to access the internet.

To check the authentication, i logged in locally, opened the browser,
i received an authentication dialog box, i entered a domain userID and
password, i could access the internet. So, its an indication that
authentication is working. But, i guess the time specified is not
working.

I am wondering if its really checking the NT group? I also tried using
the squid_unix_group option, but the result was the same.

Is it something to do with NT group mapping? Below is my group list

root_at_human:/usr/lib/squid# net rpc group list
staff
Administrators
Users
root_at_human:/usr/lib/squid# net groupmap list
Administrators (S-1-5-32-544) -> BUILTIN\administrators
staff (S-1-5-21-502514653-2556358561-3090783776-1004) -> staff
Users (S-1-5-32-545) -> BUILTIN\users

I also tried using the group "users" in the external_acl, but the
result was the same.
Before i did all this, i used the "users" group in the external_acl in
squid.conf and checked the connection even before i made users a
member of the "users" group, the behavior was the same so i think
squid is not scanning the group.

squid.conf

visible_hostname human
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
hosts_file /etc/hosts
http_port 10.10.10.10:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl abc urlpath_regex -i\.(mp3|exe|mp4|mov|sex)(\?.*)?$
acl videos dstdomain .youtube.com .yimg.com .orkut.com .sex.com
.teen.com .adult.com

external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl
acl staffgroup external NT_Group staff
acl student time 9:00-11:00

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5

acl AuthUsers proxy_auth REQUIRED

#acl sambausers src 10.10.10.0/24
#acl WORKING time 09:00-18:00
#acl AuthorizedUsers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 993 # IMAP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 22 # SSH
acl purge method PURGE
acl badurl url_regex -i teen
acl lan src 192.168.1.0 10.10.10.0/24
#acl nettime time M T W H F S 18:00-20:00
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
cache_mem 100 MB

acl extndeny url_regex -i "/etc/squid/blocks.files.acl"

ident_lookup_access allow all

http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#http_access allow friends WORKING
#http_access deny friends
http_access deny abc
http_access deny videos

http_access deny !AuthUsers
http_access allow staffgroup
http_access allow student staffgroup

#http_access allow sambausers WORKING
#http_access deny sambausers
#http_access allow all AuthorizedUsers

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
#http_access allow special_urls
#http_access deny extndeny download
http_access deny badurl
#http_access deny malware_block_list
#deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
Received on Wed Sep 09 2009 - 06:32:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 09 2009 - 12:00:02 MDT