Our network situation requires multiple users to access the Internet through a limited number of IP address. This in itself makes the need for an internal prox server a necessity. Add to this the fact that we also attempt multiple video calls and have to Monitor and Filter Internet usage, this is a practical device.
I am using Squid 2.6.9, Samba 3.0.24 on FreeBSD 6.1. I followed the instructions for Setting up Samba as noted in samba Unix Authentication. There have been a few minor changes to the port menu;however, the main parts are still there.
The ports were upgraded using cvsup prior to installation. There was no check box for using Winbind as an as an authenticator and I wanted to make certain that it was configured. I ran the following:
To check the authentication settings run /usr/local/bin/ntlm_auth --username=%username% --domain=%domainname% --password=%password%. If the reply is OK all is well so far.
Applied the configure file and restart.
On a side note, in previous versions Webmin required the location for the squid.conf file in order to run and did not show that squid was running until I gave squid RW permissions to /usr/local/squid/logs/squid.pid. This has been fixed with this version of squid.
Adding SARG generates web pages of user activity on a nightly basis. Ours is posted on the website (the location most likely will change and I will probably forget to change the link).
I have configured SARG for the report the documentation is not bad but you will want to play with it to make the configuration best. (/usr/local/etc/sarg/sarg.conf).
To allow SARG to write directly to my web server, I have set up a SMBFS automount to our web server. This requires obtaining an encrypted password for a user, editing /etc/nsmb.conf and /etc/fstab.
mkdir /mnt/www
References:
installing-squid-with-active-directory-authentication
Good LuckBack
cd /usr/ports/www/squid
make SQUID_CONFIGURE_ARGS="--enable-icmp\
--enable-delay-pools\
--enable-snmp\
--enable-arp-acl\
--enable-ntlm-fail-open\
--enable-auth="ntlm,basic"\
--enable-basic-auth-helpers="PAM,winbind,smb"\
--enable-ntlm-auth-helpers="winbind"\
--enable-external-acl-helpers="wbinfo_group"\
--with-samba-sources="/usr/ports/net/samba3/work/samba-3.0.24"\
--with-large-files\
--enable-kqueue\
--with-winbind-auth-challenge " install clean
Add the line squid_enable="YES" to /etc/rc.conf.
Initialize the cache and take it for a quick test drive:
/usr/local/sbin/squid -z
/usr/local/etc/rc.d/squid start
The file /var/db/samba/winbindd_privileged requires full access for the squid group
chgroup squid /var/db/samba/winbindd_privileged
Copy the file /etc/pam.d/system to /etc/pam.d/squid. Restart squid.
cd /usr/ports/www/sarg
make install clean
smbutil crypt %password%
echo "[default]"> /etc/nsmb.conf
echo "workgroup=%domainname%" >> /etc/nsmb.conf
echo "[%SERVERNAME%]" >>/etc/nsmb.conf
echo "addr=%serveripaddress%" >>/etc/nsmb.conf
echo "[%SERVERNAME%:%USERNAME%]" >>/etc/nsmb.conf
echo "password=%encryptedpassword%" >>/etc/nsmb.conf
echo "//%servername%/%share% /mnt/www smbfs rw 0 0" >>/etc/fstab
Note:
the case in each command is important
the %password% is for the %USERNAME% and should be a local user on the server