[squid-users] Winbind group membership authentication

Hi,

I'm new to the list so I hope I'm not asking one of those questions that
gets asked ten times a week :)

I'm running Squid 2.5 Stable with Samba 3.03 on Fedora core 2.

I set it up by reading the NTLM/winbind sections in the FAQ, which also
roughly corresponds with some other people's squid.conf's I googled.

Winbind is working, ntlm_auth tests OK and NTLM authentication via IE
works fine for domain users (2K AD). But of course, I want to
authenticate based on group membership not just plain domain membership.
wbinfo_group.pl seems to be working - I can manually feed it usernames
or 'domain+username' and groupnames and get the correct responses.

Fine so far.... but when squid speaks to wbinfo_group.pl the script only
sees the domain name and the group to be queried, not the username
(according to its debug output). Hence it allways returns ERR.

I've tried setting the winbind separator to '+' but this doesnt seem to
have made a difference. To be honest I've only been using linux for a
few months so this has all taken me quite a while and I'm running out of
time I can spend on this - I'm hoping someone out there can suggest
something.

Revelant squid.conf lines:

auth_param ntlm program /usr/lib/squid/ntlm_auth ssl\\server
auth_param ntlm children 2
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/lib/squid/ntlm_auth ssl\\server
auth_param basic children 2
auth_param basic realm Workbench testbox
auth_param basic credentialsttl 2 hours

<....>

external_acl_type nt_group ttl=60 concurrency=2 %LOGIN
/usr/lib/squid/wbinfo_group.pl
acl all src 0.0.0.0/0.0.0.0
acl benches src 10.1.1.0/24
acl lan src 192.17.90.0/24

<...>

acl domainusers proxy_auth REQUIRED
acl groupmembers external nt_group ProxyAccess
# TAG: http_access

#http_access allow ncsa_users
http_access allow benches
#http_access allow lan
#http_access allow localhost
#http_access allow authenticated
http_access allow domainusers groupmembers
http_access deny all

Cache.log debug output from wbinfo_group.pl:
(ssl is the domain name, not the user name - hence the ERR)

Got ssl ProxyAccess from squid
User: -ssl-
Group: -ProxyAccess-
SID: -S-1-5-21-1343024091-2111687655-854245398-1124 Domain Group (2)-
GID: -10002-
Sending ERR to squid

Thanks for reading,

Neil
Received on Mon Jul 25 2005 - 04:53:48 MDT