One more thing: I tried again with the helper in command line, and now even there the authentication doesn't work. Debug mode returns: /win32_check_group.exe[1292]: Got 'wbgdom01\\testedv WWW' from Squid (length: 21). /win32_check_group.exe[1292]: Valid_Global_Groups: checking group membership of 'wbgdom01\testedv'. /win32_check_group.exe[1292]: Using '\\NWSH1-PDC' as DC for 'stadt-nw' local domain. /win32_check_group.exe[1292]: Using '\\WBGSRV1' as DC for 'wbgdom01' user's domain. /win32_check_group.exe NetUserGetGroups() failed.' /win32_check_group.exe[1292]: Got 'wbgdom01\\testedv Domänen-Admins' from Squid (length: 32). /win32_check_group.exe[1292]: Valid_Global_Groups: checking group membership of 'wbgdom01\testedv'. /win32_check_group.exe[1292]: Using '\\NWSH1-PDC' as DC for 'stadt-nw' local domain. /win32_check_group.exe[1292]: Using '\\WBGSRV1' as DC for 'wbgdom01' user's domain. /win32_check_group.exe NetUserGetGroups() failed.' > -----Ursprüngliche Nachricht----- > Von: Altrock, Jens [mailto:Jens.Altrock@xxxxxxxxxxx] > Gesendet: Donnerstag, 24. März 2005 14:04 > An: 'squid-users@xxxxxxxxxxxxxxx' > Betreff: AW: [squid-users] SquidNT - Authentication of groups > only works > p artly > > > Domain is in mixed mode though. > I added the domain users to the Pre-Windows 2000 compatible > access group, > but > that helped nothing though... > > -----Ursprüngliche Nachricht----- > Von: Guido Serassio [mailto:guido.serassio@xxxxxxxxxxxxxxxxx] > Gesendet: Donnerstag, 24. März 2005 13:25 > An: Altrock, Jens; squid-users@xxxxxxxxxxxxxxx > Betreff: RE: [squid-users] SquidNT - Authentication of groups > only works > partly > > > > > Hi, > > Look if on the WBGDOM01 domain the "Pre-Windows 2000 > compatible access" is > enabled. > > The configuration should be fine. > > Regards > > Guido > > - > ======================================================== > Guido Serassio > Acme Consulting S.r.l. - Microsoft Certified Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.serassio@xxxxxxxxxxxxxxxxx > WWW: http://www.acmeconsulting.it/ > > > > -----Original Message----- > From: Altrock, Jens [mailto:Jens.Altrock@xxxxxxxxxxx] > Sent: Thu 3/24/2005 11:07 AM > To: 'squid-users@xxxxxxxxxxxxxxx' > Subject: [squid-users] SquidNT - Authentication of groups > only works partly > > Hi there! > > I set up SquidNT on a Windows 2000 Server, works fine though. > I just got a > little problem > regarding authentication of domain groups via Squid. > > The scenery: > We got four domains: > STADT-NW (where the proxy is in, Windows NT4 Domain) > VHS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS) > TKS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS) > WBGDOM01 (trusted domain, bidirectional, Windows 2000 Server SP3, ADS) > > I check groups via the win23_check_group helper delivered > with Squid using > the following > config: > > external_acl_type NT_global_group %LOGIN > c:/squid/libexec/win32_check_group.exe -G > auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe > auth_param ntlm children 30 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > auth_param ntlm use_ntlm_negotiate off > > acl WWW external NT_global_group WWW > acl admins external NT_global_group Domänen-Admins > acl password proxy_auth REQUIRED > > http_access allow password WWW > http_access allow password admins > http_access deny password !WWW !admins > > So two groups got access to the Internet: Domänen-Admins > (domain admins) and > the > WWW group. > That works so far... for three of the four domains. If I try > internet access > via proxy with > a user from STADT-NW, TKS-NW or VHS-NW, it works perfectly. > But when trying > a > user from WBGDOM01, it won't work, Squid returns an Access > Denied Page. > > I tried using the helper from the command line, using > domain\\user and group > as parameters, > and it works. The helper returns an OK in that case. > But when looking at the cache.log file when trying to access Squid via > browser with that user, > I see the following error message: > > /win32_check_group.exe NetUserGetGroups() failed.' > > Anyone can help me with that? I don't think it's a problem > with the helper, > for he works in > command line mode though. > > Regards, > > Jens Altrock > Diplom-Ingenieur (BA) > Stadtverwaltung Neustadt an der Weinstraße > EDV und Organisation > Marktplatz 1 > 67433 Neustadt an der Weinstraße > > Tel. +49 6321 855 330 > Fax +49 6321 855 7330 > mailto:jens.altrock@xxxxxxxxxxx > http://www.neustadt-weinstrasse.de > > ########################################### > Diese Nachricht wurde von F-Secure Anti-Virus gescannt. > > This message has been scanned by F-Secure Anti-Virus. > ########################################### > Diese Nachricht wurde von F-Secure Anti-Virus gescannt. > > This message has been scanned by F-Secure Anti-Virus. > ########################################### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus.
