#1 [PROBLEMA] Conectar un Proxy SQUID con autenticación 2000
Saludos A todos
Plantiamiento del problema El servidor linux (squid) va a comprobar el login que le envia el navegador del cliente, y debe de comprobar si este pertenece a un grupo determinado en el servidor Windows 2000, en consecuencia le deja o no le deja pasar.
la validadion de los usarios en el servidor windows 2000 se realiza, pero la descriminacion de que la cual se verifica si este pertenece a un grupo determinado en el servidor Windows 2000 no la realiza permite la validacion de los usarios no importando aen que grupo se encuentre
datos.
servidor Linux fedora 7
samba-3.0.28-0.fc7
squid-2.6.STABLE16-2.fc7
archivo de configuracion squid.conf
http_port 192.168.25.160:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /var/spool/squid 1000 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
client_netmask 255.255.255.255
###################
auth_param ntlm use_ntlm_negotiate on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='internet' -d 10
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
##################
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='internet'
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minutes
auth_param basic casesensitive off
##################
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
######################################
external_acl_type wbinfo_group concurrency=5 ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl GRUPOINTERNET external wbinfo_group internet
################################################## #####################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow GRUPOINTERNET
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Spanish
archivo de configuracion de samba smb.conf
workgroup = EMPRESA
security = domain
winbind uid = 10000-19999
winbind gid = 10000-19999
idmap uid = 10000-19999
idmap gid = 10000-19999
winbind use default domain = yes
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
netbios name = squid2
archivo wbinfo_group.pl, para la validacion del grupo en AD
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
# Add '-d' command line debugging option
#
# 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
# Fix for wbinfo from Samba 3.0.21
#
# 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
# Helper protocol changed to URL escaped in Squid-3.0
#
# 2005-06-28 Arno Streuli <astreuli@gmail.com>
# Add multi group check
#
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#### propios
open (FILE, '>/var/log/squid/w_groups.log') or die "Error creating w_groups.log";
#
# Globals
#
use vars qw/ %opt /;
# Disable output buffering
$|=1;
sub debug {
print STDERR "@_\n" if $opt{d};
}
#
# Check if a user belongs to a group
#
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}
#
# Command line options processing
#
sub init()
{
use Getopt::Std;
my $opt_string = 'hd';
getopts( "$opt_string", \%opt ) or usage();
usage() if $opt{h};
}
#
# Message about this program and how to use it
#
sub usage()
{
print "Usage: wbinfo_group.pl -dh\n";
print "\t-d enable debugging\n";
print "\t-h print the help\n";
exit;
}
init();
print STDERR "Debugging mode ON.\n" if $opt{d};
#
# Main loop
#
while (<STDIN>) {
chop;
print FILE "\n\ndatos leidos: $_";
&debug ("Got $_ from squid");
($user, @groups) = split(/\s+/);
$user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
# test for each group squid send in it's request
print FILE "\n\ngrupos: @groups";
foreach $group (@groups) {
$group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
$ans = &check($user, $group);
last if $ans eq "OK";
}
&debug ("\n\nSending $ans to squid");
print "$ans\n";
print FILE "\n\nrespuesta: $ans";
}
muchas gracias por la ayuda
Plantiamiento del problema El servidor linux (squid) va a comprobar el login que le envia el navegador del cliente, y debe de comprobar si este pertenece a un grupo determinado en el servidor Windows 2000, en consecuencia le deja o no le deja pasar.
la validadion de los usarios en el servidor windows 2000 se realiza, pero la descriminacion de que la cual se verifica si este pertenece a un grupo determinado en el servidor Windows 2000 no la realiza permite la validacion de los usarios no importando aen que grupo se encuentre
datos.
servidor Linux fedora 7
samba-3.0.28-0.fc7
squid-2.6.STABLE16-2.fc7
archivo de configuracion squid.conf
http_port 192.168.25.160:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /var/spool/squid 1000 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
client_netmask 255.255.255.255
###################
auth_param ntlm use_ntlm_negotiate on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='internet' -d 10
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
##################
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='internet'
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minutes
auth_param basic casesensitive off
##################
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
######################################
external_acl_type wbinfo_group concurrency=5 ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl GRUPOINTERNET external wbinfo_group internet
################################################## #####################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow GRUPOINTERNET
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Spanish
archivo de configuracion de samba smb.conf
workgroup = EMPRESA
security = domain
winbind uid = 10000-19999
winbind gid = 10000-19999
idmap uid = 10000-19999
idmap gid = 10000-19999
winbind use default domain = yes
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
netbios name = squid2
archivo wbinfo_group.pl, para la validacion del grupo en AD
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
# Add '-d' command line debugging option
#
# 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
# Fix for wbinfo from Samba 3.0.21
#
# 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
# Helper protocol changed to URL escaped in Squid-3.0
#
# 2005-06-28 Arno Streuli <astreuli@gmail.com>
# Add multi group check
#
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#### propios
open (FILE, '>/var/log/squid/w_groups.log') or die "Error creating w_groups.log";
#
# Globals
#
use vars qw/ %opt /;
# Disable output buffering
$|=1;
sub debug {
print STDERR "@_\n" if $opt{d};
}
#
# Check if a user belongs to a group
#
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}
#
# Command line options processing
#
sub init()
{
use Getopt::Std;
my $opt_string = 'hd';
getopts( "$opt_string", \%opt ) or usage();
usage() if $opt{h};
}
#
# Message about this program and how to use it
#
sub usage()
{
print "Usage: wbinfo_group.pl -dh\n";
print "\t-d enable debugging\n";
print "\t-h print the help\n";
exit;
}
init();
print STDERR "Debugging mode ON.\n" if $opt{d};
#
# Main loop
#
while (<STDIN>) {
chop;
print FILE "\n\ndatos leidos: $_";
&debug ("Got $_ from squid");
($user, @groups) = split(/\s+/);
$user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
# test for each group squid send in it's request
print FILE "\n\ngrupos: @groups";
foreach $group (@groups) {
$group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
$ans = &check($user, $group);
last if $ans eq "OK";
}
&debug ("\n\nSending $ans to squid");
print "$ans\n";
print FILE "\n\nrespuesta: $ans";
}
muchas gracias por la ayuda
0
