Hi there! I set up SquidNT on a Windows 2000 Server, works fine though. I just got a little problem regarding authentication of domain groups via Squid. The scenery: We got four domains: STADT-NW (where the proxy is in, Windows NT4 Domain) VHS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS) TKS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS) WBGDOM01 (trusted domain, bidirectional, Windows 2000 Server SP3, ADS) I check groups via the win23_check_group helper delivered with Squid using the following config: external_acl_type NT_global_group %LOGIN c:/squid/libexec/win32_check_group.exe -G auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off acl WWW external NT_global_group WWW acl admins external NT_global_group Domänen-Admins acl password proxy_auth REQUIRED http_access allow password WWW http_access allow password admins http_access deny password !WWW !admins So two groups got access to the Internet: Domänen-Admins (domain admins) and the WWW group. That works so far... for three of the four domains. If I try internet access via proxy with a user from STADT-NW, TKS-NW or VHS-NW, it works perfectly. But when trying a user from WBGDOM01, it won't work, Squid returns an Access Denied Page. I tried using the helper from the command line, using domain\\user and group as parameters, and it works. The helper returns an OK in that case. But when looking at the cache.log file when trying to access Squid via browser with that user, I see the following error message: /win32_check_group.exe NetUserGetGroups() failed.' Anyone can help me with that? I don't think it's a problem with the helper, for he works in command line mode though. Regards, Jens Altrock Diplom-Ingenieur (BA) Stadtverwaltung Neustadt an der Weinstraße EDV und Organisation Marktplatz 1 67433 Neustadt an der Weinstraße Tel. +49 6321 855 330 Fax +49 6321 855 7330 mailto:jens.altrock@xxxxxxxxxxx http://www.neustadt-weinstrasse.de ########################################### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus.
