Hello suse-security, I have installed the following version on SuSE8.2: # rpm -q squid squid-2.5.STABLE1-63 Now, I don´t see any Updates to this package offered by YOU, but when I look at ftp.suse.de:/pub/suse/i386/8.2/i586/squid-2.5.STABLE1-73.i586.rpm There is a new package with version number -73 ? Does the ftp-distribution use different version-numbers than the CD distribution in general? Or am I missing something? The reason I was searching for squid in the first place was that I wanted to use NT/Samba User Groups for Authentication, but didn´t find a wb_group.sh or wb_group.pl or wbinfo_group.pl on my system. What is recommended to get this workingon SuSE8.2? I found a perl script at http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/helpers/external_acl/wbi... and added the following line to squid.conf: external_acl_type nt_group %LOGIN /usr/local/libexec/wbinfo_group.pl That does the job, but I am not sure if this is the best way? -- Mit freundlichen Grüßen, André Sänger mailto:Andre.Saenger@gmx.de Landratsamt Coburg
I have installed the following version on SuSE8.2:
# rpm -q squid squid-2.5.STABLE1-63
Now, I don?t see any Updates to this package offered by YOU, but when I look at
ftp.suse.de:/pub/suse/i386/8.2/i586/squid-2.5.STABLE1-73.i586.rpm
impossible, you mean ftp.suse.com.
There is a new package with version number -73 ?
Does the ftp-distribution use different version-numbers than the CD distribution in general? Or am I missing something?
It doesn't, the packages are built from the same sources. But: The package has been rebuilt between the making of the cd version and the ftp version, even though there was no change. This happens with SUSE packages, frequently, because a new build (due to a change) of a package that the squid package depends on makes a recompilation of the depending package(s) useful.
The reason I was searching for squid in the first place was that I wanted to use NT/Samba User Groups for Authentication, but didn?t find a wb_group.sh or wb_group.pl or wbinfo_group.pl on my system.
What is recommended to get this workingon SuSE8.2?
I found a perl script at
http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/helpers/external_acl/wbi...
and added the following line to squid.conf:
external_acl_type nt_group %LOGIN /usr/local/libexec/wbinfo_group.pl
That does the job, but I am not sure if this is the best way?
Please simply try it out. Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // Nail here | SUSE Linux AG - Security Phone: // for a new | Nürnberg, Germany +49-911-740530 // monitor! --> [x] | - -
Hello Roman, Thursday, October 23, 2003, 4:16:01 PM, you wrote:
impossible, you mean ftp.suse.com.
Sorry, you´re right.
Please simply try it out.
As I told I did that and it works. I just wondered if it was the proper way to do it. Although I found two external helpers to do the job wbinfo_group matches users to NT groups using wbinfo winbind_group matches users to NT groups using winbind direcly neither of them is included in the squid binary rpm. Just wondered if there was a reason for that (they are available in squid-2.5.STABLE1-63.src.rpm). Or maybe some other way SuSE thought of for that functionality. So I just tried using wbinfo_group.pl manually. -- Best regards, André mailto:Andre.Saenger@gmx.de
Am Donnerstag, 23. Oktober 2003 17:04 schrieb André Sänger: > Hello Roman, > > Thursday, October 23, 2003, 4:16:01 PM, you wrote: > > impossible, you mean ftp.suse.com. > > Sorry, you´re right. > > > Please simply try it out. > > As I told I did that and it works. I just wondered if it was the > proper way to do it. > > Although I found two external helpers to do the job > > wbinfo_group matches users to NT groups using wbinfo > winbind_group matches users to NT groups using winbind > direcly > > neither of them is included in the squid binary rpm. > > Just wondered if there was a reason for that (they are available in > squid-2.5.STABLE1-63.src.rpm). Or maybe some other way SuSE thought > of for that functionality. > > So I just tried using wbinfo_group.pl manually. we are using this together with several Active directory server for authentication, but i never found an rpm. You have to compile a new version of squid (--with-ntlm-auth and --with-wb_group or so...), install a recent samba version, start the winbind server and try it out! By far the trickiest parts were: - entering the ad domain, receiving and keeping (even after ads reboot!) a trusted position (vertrauensstellung, i don't know the english word) [off-topic] how did anybody else solve this? i'm not content with the skript we have, because there's a password in it. The Problem is after the ads server reboots, it forgets that the linux host is a trusted host and therefore no auth data is being sent anymore. - finding the exact syntax for wb_group - integrating the self-compiled squid in webmin for admin purposes. however, it works, but it's not trivial. enjoy! markus > > > -- > Best regards, > André mailto:Andre.Saenger@gmx.de -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Hello Markus, Thursday, October 23, 2003, 9:59:03 PM, you wrote:
So I just tried using wbinfo_group.pl manually.
we are using this together with several Active directory server for authentication, but i never found an rpm. You have to compile a new version of squid (--with-ntlm-auth and --with-wb_group or so...), install a recent samba version, start the winbind server and try it out!
Would it be enough to just compile the wb_group stuff and use the wb_group binary with the standard squid? So that I could avoid self-compiling the whole thing every time there is a security-update? Are there advantages to using the wb_group binary instead of wbinfo_group.pl (which doesn´t need an additional compile)? -- Best regards, André mailto:Andre.Saenger@gmx.de
Am Freitag, 24. Oktober 2003 09:48 schrieb André Sänger:
Hello Markus,
Thursday, October 23, 2003, 9:59:03 PM, you wrote:
So I just tried using wbinfo_group.pl manually.
we are using this together with several Active directory server for authentication, but i never found an rpm. You have to compile a new version of squid (--with-ntlm-auth and --with-wb_group or so...), install a recent samba version, start the winbind server and try it out! Would it be enough to just compile the wb_group stuff and use the wb_group binary with the standard squid?
No. AFAIK the support for this must be in the squid binary - (squid folks correct me if I'm wrong!). I did _not_ find an rpm for squid with this support. Even though parts of it seems to work with some stuff from the suse binary rpm of squid-beta, i cannot recommend this. it's to dirty a hack! The clean solution is: configure, make, install squid and then do some symlinks, some editing in startscripts and then it works.
So that I could avoid self-compiling the whole thing every time there is a security-update?
Again: AFAIK - there's no other way around.
Are there advantages to using the wb_group binary instead of wbinfo_group.pl (which doesn´t need an additional compile)?
Yes. the wbinfo_group.pl worked. the wb_group stuff never worked here. wbinfo_group is a simple (even i can grasp it) perl skript, that just does several wbinfo - xxx checks and combines them in order to get info about group memberships. Have a look at it - it's really simple.
-- Best regards, André mailto:Andre.Saenger@gmx.de -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Hello Markus, Monday, October 27, 2003, 2:14:10 PM, you wrote:
Yes. the wbinfo_group.pl worked. the wb_group stuff never worked here. wbinfo_group is a simple (even i can grasp it) perl skript, that just does several wbinfo - xxx checks and combines them in order to get info about group memberships. Have a look at it - it's really simple.
Now I´ve run into a problem - I configured ntlm authentication and an allowed domain group. Works so far with http:// URLs, but as soon as it comes to https:// access is blocked when I use IE5.5SP2. Using IE6SP1 or Firebird it works. Did you get this combination to work? IE5.5SP2, NTLM & HTTPS ? -- Best regards, André mailto:Andre.Saenger@gmx.de
Am Montag, 27. Oktober 2003 17:18 schrieb André Sänger:
Hello Markus,
Monday, October 27, 2003, 2:14:10 PM, you wrote:
Yes. the wbinfo_group.pl worked. the wb_group stuff never worked here. wbinfo_group is a simple (even i can grasp it) perl skript, that just does several wbinfo - xxx checks and combines them in order to get info about group memberships. Have a look at it - it's really simple.
Now I´ve run into a problem - I configured ntlm authentication and an allowed domain group.
Works so far with http:// URLs, but as soon as it comes to https:// access is blocked when I use IE5.5SP2. Using IE6SP1 or Firebird it works.
Did you get this combination to work? IE5.5SP2, NTLM & HTTPS ?
-- Best regards, André mailto:Andre.Saenger@gmx.de
Well, at least i was not informed about any problems with these clients... I guess these clients are used, but they seem to work. perhaps it's not about ntlm, but the other rules in your squid.conf? have a look at the "port" entries ... BTW: 1 ) it#s a great thing to combine the ntlm/wb... auth with other rules, so you can allow/deny urls (only) to groupmembers, and much more! 2) the whole thing combined with sarg and dansguardian - wow! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Hello Markus, Monday, October 27, 2003, 5:28:36 PM, you wrote:
Well, at least i was not informed about any problems with these clients... I guess these clients are used, but they seem to work. perhaps it's not about ntlm, but the other rules in your squid.conf? have a look at the "port" entries ...
After further investigation I found the problem only to occur with ie5.5sp2 patch q828750, works fine with older patch (q818529) releases or other browsers (ie6sp1, mozilla firebird, konqueror), so I don´t think it´s another rule in squid.conf(?). But then again, on-the-fly authentication seems to work only with IE... -- Best regards, André mailto:Andre.Saenger@gmx.de
Am Dienstag, 28. Oktober 2003 10:36 schrieb André Sänger:
Hello Markus,
Monday, October 27, 2003, 5:28:36 PM, you wrote:
Well, at least i was not informed about any problems with these clients... I guess these clients are used, but they seem to work. perhaps it's not about ntlm, but the other rules in your squid.conf? have a look at the "port" entries ...
After further investigation I found the problem only to occur with ie5.5sp2 patch q828750, works fine with older patch (q818529) releases or other browsers (ie6sp1, mozilla firebird, konqueror), so I don´t think it´s another rule in squid.conf(?). But then again, on-the-fly authentication seems to work only with IE...
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm? Better is: Open LDAP Server - Single Sign on solution, incl Firewall, Mail and all that you can imagine.
-- Best regards, André mailto:Andre.Saenger@gmx.de
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Markus Feilner wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm?
Bull*.&! Mozilla 1.4 on Win32 is also able to send NTLM. http://www.mozilla.org/releases/mozilla1.4/README.html#new -- Have fun, Peter
Hello Peter, Tuesday, October 28, 2003, 5:01:22 PM, you wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm?
Bull*.&!
Mozilla 1.4 on Win32 is also able to send NTLM. http://www.mozilla.org/releases/mozilla1.4/README.html#new
But both Mozilla 1.4 (didn´t try 1.5 yet) and Mozilla Firebird 0.7 still pop up a password dialog. IE doesn´t. Versions tested: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:1.5) Gecko/20031007 Firebird/0.7 -- Best regards, André mailto:Andre.Saenger@gmx.de
Am Dienstag, 28. Oktober 2003 17:18 schrieb André Sänger:
Hello Peter,
Tuesday, October 28, 2003, 5:01:22 PM, you wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm?
Bull*.&! Thanx for that! ;-)
Mozilla 1.4 on Win32 is also able to send NTLM. http://www.mozilla.org/releases/mozilla1.4/README.html#new
But both Mozilla 1.4 (didn´t try 1.5 yet) and Mozilla Firebird 0.7 still pop up a password dialog. IE doesn´t.
That's what I ment - sorry, my fault! AFAIK in this setup only IE can do single sign-on.
Versions tested: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:1.5) Gecko/20031007 Firebird/0.7
-- Best regards, André mailto:Andre.Saenger@gmx.de
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
On Tue, 2003-10-28 at 12:08, Markus Feilner wrote:
Am Dienstag, 28. Oktober 2003 17:18 schrieb André Sänger:
Hello Peter,
Tuesday, October 28, 2003, 5:01:22 PM, you wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm?
Bull*.&! Thanx for that! ;-)
Mozilla 1.4 on Win32 is also able to send NTLM. http://www.mozilla.org/releases/mozilla1.4/README.html#new
But both Mozilla 1.4 (didn´t try 1.5 yet) and Mozilla Firebird 0.7 still pop up a password dialog. IE doesn´t.
That's what I ment - sorry, my fault! AFAIK in this setup only IE can do single sign-on.
According to the squid web site this is correct, only IE can connect without the user name/password dialog box. (I was looking at this this morning).
Versions tested: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:1.5) Gecko/20031007 Firebird/0.7
-- Best regards, André mailto:Andre.Saenger@gmx.de
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
-- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
Not sure if this is applicable here but: If you want to use LDAP authentication in a windows environment. Check out this link http://pgina.xpasystems.com By changing a registry entry on the window machine you can make it use an LDAP server for authentication. On Tuesday 28 October 2003 12:20, Ken Schneider wrote:
On Tue, 2003-10-28 at 12:08, Markus Feilner wrote:
Am Dienstag, 28. Oktober 2003 17:18 schrieb André Sänger:
Hello Peter,
Tuesday, October 28, 2003, 5:01:22 PM, you wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm?
Bull*.&!
Thanx for that! ;-)
Mozilla 1.4 on Win32 is also able to send NTLM. http://www.mozilla.org/releases/mozilla1.4/README.html#new
But both Mozilla 1.4 (didn´t try 1.5 yet) and Mozilla Firebird 0.7 still pop up a password dialog. IE doesn´t.
That's what I ment - sorry, my fault! AFAIK in this setup only IE can do single sign-on.
According to the squid web site this is correct, only IE can connect without the user name/password dialog box. (I was looking at this this morning).
Versions tested: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:1.5) Gecko/20031007 Firebird/0.7
-- Best regards, André mailto:Andre.Saenger@gmx.de
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
-- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
André Sänger wrote:
Tuesday, October 28, 2003, 5:01:22 PM, you wrote:
Mozilla 1.4 on Win32 is also able to send NTLM. http://www.mozilla.org/releases/mozilla1.4/README.html#new
But both Mozilla 1.4 (didn?t try 1.5 yet) and Mozilla Firebird 0.7 still pop up a password dialog. IE doesn?t.
Open an IE window and display the status bar. The right-most entry in the bar displays the current zone. Double-Click this zone. Your computer now displays a property sheet for "Internet Security Options". In the last grouped elements is a button labeled "Configure"/"Stufe anpassen". Hit it an scroll down the list. The second top level group should be labeled "User authentication" / "Benutzerauthentifizierung" Your setting for this zone is probably "automatic login only in the intranet zone". IE sends the password prematurely. You should sent an "WWW-Authenticate: NTLM" (or similar) whenever an browser sends an proxy-request not accompanied by NTLM-auth informations. -- Have fun, Peter
Hello Markus, Tuesday, October 28, 2003, 4:56:27 PM, you wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm? Better is: Open LDAP Server - Single Sign on solution, incl Firewall, Mail and all that you can imagine.
But how do I get a single sign on to the squid proxy then (taken that the clients stay NT4 Workstations)? Wouldn´t I still have to use NTLM? Is it possible to migrate an NT Domain to a Samba/Ldap SuSE Linux Server yet - without having to touch the clients? Can I replicate the accounts like NT PDC/BDCs do for the case the main Samba/LDAP Server goes down? -- Best regards, André mailto:Andre.Saenger@gmx.de
On Oct 28, André Sänger <Andre.Saenger@gmx.de> wrote:
Is it possible to migrate an NT Domain to a Samba/Ldap SuSE Linux Server yet - without having to touch the clients? Can I replicate the accounts like NT PDC/BDCs do for the case the main Samba/LDAP Server goes down? You can use the BDC feature of samba 3.0 to copy the accounts from a Windows PDC to a samba machine (warning: samba doesn't work as PDC for windows, it can only suck the account data). Then you can use the samba machine as PDC. You can also put up a second samba machine as BDC, as soon as the master is also running samba.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Am Dienstag, 28. Oktober 2003 17:13 schrieb André Sänger:
Hello Markus,
Tuesday, October 28, 2003, 4:56:27 PM, you wrote:
Right. Because only IE is able to send NTLM (or ADS) auth. what a pity, hm? Better is: Open LDAP Server - Single Sign on solution, incl Firewall, Mail and all that you can imagine.
But how do I get a single sign on to the squid proxy then (taken that the clients stay NT4 Workstations)? Wouldn´t I still have to use NTLM?
Not necessarily. Ldap helps. In a different solution we do that by activating (per-user, per-client, per-client-ip) specific iptables rules (also stored in ldap directory) after a successul login to our ldap server. So we can exactly control what Mr A is allowed to on machine B with operating system C under circumstances D and so on... (and not only squid... ;-) That's probably the best way I know, but I'm always open for suggestions! Other possible solutions are e.g. pam or samba auth for squid... i guess
Is it possible to migrate an NT Domain to a Samba/Ldap SuSE Linux Server yet - without having to touch the clients? Can I replicate the accounts like NT PDC/BDCs do for the case the main Samba/LDAP Server goes down?
-- Best regards, André mailto:Andre.Saenger@gmx.de
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
participants (7)
-
André Sänger -
Ken Schneider -
Markus Feilner -
Markus Gaugusch -
Paul Kozlenko -
Peter Wiersig -
Roman Drahtmueller