Squid/Samba Domain Controller - Require authentication

Discuss Networking
Post Reply
Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Squid/Samba Domain Controller - Require authentication

Post by Maniaman » Sat Feb 24, 2007 11:29 am

I recently set up samba as a primary domain controller on my server. How can I set up squid to require authentication before allowing access? Basically I want it to use the same usernames/passwords that people use to log in to the domain. (Seamless auth would be a big plus).

Also, is it possible to make squid randomly redirect requests to a specified url on a per-user basis? I have a couple users I would love to randomly redirect certain requests to a different website.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Re: Squid/Samba Domain Controller - Require authentication

Post by Void Main » Sat Feb 24, 2007 12:59 pm

Maniaman wrote:I recently set up samba as a primary domain controller on my server. How can I set up squid to require authentication before allowing access? Basically I want it to use the same usernames/passwords that people use to log in to the domain. (Seamless auth would be a big plus).
I see you have already been involved in an old thread on using Squid so I take it you are already familiar with Squid and now just want help getting domain authentication working. By the way, I am also using Samba domain authentication and have been for a long time now. Basically on the PDC I have a local group (/etc/group) called "proxyusers". I add all the users I want to be able to authenticate in that group. I then have a section in my smb.conf that looks like this:

Code: Select all

[proxyauth$]
  comment = Proxy Authentication
  path = /var/samba/proxyauth
  valid users = @proxyusers
  guest ok = no
  public = no
  writable = no
  share modes = no
I then have a directory /var/samba/proxyauth (755 permissions) with a file in it called proxyauth (644 permissions) that just contains the word "allow". Reload Samba after adding the share of course.

Now on your squid server look for the section with the auth_param examples. Add these lines:

Code: Select all

auth_param basic program /usr/lib/squid/smb_auth -W YOURDOMAIN -U YOURPDC -S /proxyauth$/proxyauth
auth_param basic children 5
auth_param basic realm RestrictedProxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Obviously change "YOURDOMAIN" to whatever your domain name is and "YOURPDC" to your PDC's server name. You can replace "RestrictedProxy" with whatever text you want (not sure if it would allow multiple words).

Here are what my rules look like:

Code: Select all

acl bannedsites dstdomain "/etc/squid/acl/banned.sites"
acl unrestricted_users proxy_auth "/etc/squid/acl/unrestricted.grp"
acl kidsgrp proxy_auth "/etc/squid/acl/kids.grp"

http_access allow unrestricted_users !bannedsites
http_access allow kidsgrp localhost !bannedsites

http_access allow localhost
http_access deny all
As you can see I keep banned web sites and user groups in external files but they don't have to be. "banned.sites" would contain a list of web sites nobody is allowed to go to. "unrestricted.grp" contains a list of domain users (one per line). I have a separate group for the kids called kids.grp that contains their domain username (one per line).

The last piece is getting the /usr/lib/squid/smb_auth.sh script working. I have found that every time Squid gets updated it updates the /usr/lib/squid/smb_auth.sh with a broken script. I always have to edit it and change the "SAMBAPREFIX" variable to "/usr":

Code: Select all

SAMBAPREFIX="/usr"
You can test this script by running it on the command line and entering your auth credentials:

Code: Select all

./smb_auth.sh
YOURDOMAIN

YOURPDC
YOURPDC
proxyauth$
proxyauth
YOURDOMAINUSERNAME
YOURDOMAINPASSWORD
If successful you should see a line something like this:

Code: Select all

Contents of //YOURPDC/proxyauth$/proxyauth: allow
Maniaman wrote:Also, is it possible to make squid randomly redirect requests to a specified url on a per-user basis? I have a couple users I would love to randomly redirect certain requests to a different website.
Randomly? Not sure exactly what you mean here but it sounds like you want a content filter. Dansguardian is an excellent content filter:

http://dansguardian.org/

I've been using it for quite a while and it works well.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman » Sat Feb 24, 2007 2:05 pm

It works! Thanks.
Randomly? Not sure exactly what you mean here but it sounds like you want a content filter. Dansguardian is an excellent content filter:
Not really looking for content filtering. Basically I am wanting to play a prank on a couple of my users who just waste time playing pogo games. I want to set something up so they are served a different website (that i could specify) than what they typed in and were planning on getting.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Feb 24, 2007 2:36 pm

I don't know of a way to do it right in the squid.conf but you certainly can redirect using squid. That's what the adzapper script does. It redirect ad URLs to your a URL of your choice. Here are some other redirect scripts for squid:

http://squirm.foote.com.au/
http://www.zippo.ch/thomas/asqredir/
http://adzapper.sourceforge.net/

Post Reply