Re: [squid-users] acl proxy_auth problem from Amos Jeffries on 2009-12-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 04 Dec 2009 12:20:34 +1300

Georg Roelli wrote:
> ----------------------------------------
>> Date: Thu, 3 Dec 2009 10:36:10 +1300
>> From: squid3_at_treenet.co.nz
>> To: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] acl proxy_auth problem
>>
>> On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli
>> wrote:
>>> Hello
>>>
>>> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>>>
>>> I am looking to find a way to check with an acl if a user is member of a
>>> specific ad-group. On my Squid Proxy Server, I have successfully set up
>> an
>>> SSO authentication with the active directory.
>>> This works fine. Among other things:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> --require-membership-of="Domäne\\AD-GroupeA"
>>>
>>> Now I start with the definition of the acl's. At first I would like to
>>> make a badUrls list which is valid for all users to block some sites.
>> This
>>> list should not be applied to a group of personal computers (host)
>> and/or a
>>> specific AD group.
>>> Here is my approach:
>>>
>>> acl auth proxy_auth REQUIRED
>>> acl badurls url_regex "/data/squid/badurls.txt"
>>> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt"
>>> acl AllowedGroups proxy_auth -i Domäne/AD-GroupeB
>>>
>>> http_access allow auth AllowedClients
>>> http_access allow auth AllowedGroups
>>> http_access deny badurls
>>> http_access allow auth
>>> http_access deny all
>>>
>>> The acl with the badurls list and the acl for the AllowedClients are
>>> working fine. But with the acl acl AllowedGroups proxy_auth -i
>>> Domäne/AD-GruppeB I have great problems. I don't know how I can make an
>> acl
>>> who check the membership from an AD-Groupe.
>>> I tested many different types of spelling. Unfortunately without
>> success.
>>> How can I make an acl using ntlm_auth authentication? Is there a better
>> and
>>> easier way to do this?
>>>
>>> Thank you for your suggestions.
>>>
>>> Kind regards.
>>>
>>
>>
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups
>>
>> Amos
>
> Hello Amos
>
> Thank you for your note.
>
> I have try it and after a have modified the lines in
>
> external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d
> acl inGroupX external testForNTGroup obmg
> http_access allow inGroupX
>
> I can restart the squid service without problems. Unfortunately the alc does not work.
> In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log:

You means cache.log surely?

>
> [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
> Got NTLMSSP neg_flags=0xa2088205
> Got wag obmg from squid
> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
> User: -rog-
> Group: -obmg-
> SID: -S-1-5-21-986273330-1409306274-1541874228-6339-
> GID: --
> Sending ERR to squid
>
> Do you have any other ideas what dies message exactly means?

They means the user "rog" exists but was not a registered member of
group "obmg".

Look in the registry (I think on the domain controller) for
"S-1-5-21-986273330-1409306274-1541874228-6339" and see what groups it's
a member of.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.15

Received on Thu Dec 03 2009 - 23:20:42 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST