Search squid archive

Winbind group membership authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm new to the list so I hope I'm not asking one of those questions that gets asked ten times a week :)

I'm running Squid 2.5 Stable with Samba 3.03 on Fedora core 2.

I set it up by reading the NTLM/winbind sections in the FAQ, which also roughly corresponds with some other people's squid.conf's I googled.

Winbind is working, ntlm_auth tests OK and NTLM authentication via IE works fine for domain users (2K AD). But of course, I want to authenticate based on group membership not just plain domain membership. wbinfo_group.pl seems to be working - I can manually feed it usernames or 'domain+username' and groupnames and get the correct responses.

Fine so far.... but when squid speaks to wbinfo_group.pl the script only sees the domain name and the group to be queried, not the username (according to its debug output). Hence it allways returns ERR.

I've tried setting the winbind separator to '+' but this doesnt seem to have made a difference. To be honest I've only been using linux for a few months so this has all taken me quite a while and I'm running out of time I can spend on this - I'm hoping someone out there can suggest something.

Revelant squid.conf lines:

auth_param ntlm program /usr/lib/squid/ntlm_auth ssl\\server
auth_param ntlm children 2
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/lib/squid/ntlm_auth ssl\\server
auth_param basic children 2
auth_param basic realm Workbench testbox
auth_param basic credentialsttl 2 hours

<....>

external_acl_type nt_group ttl=60 concurrency=2 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl all src 0.0.0.0/0.0.0.0
acl benches src 10.1.1.0/24
acl lan src 192.17.90.0/24

<...>

acl domainusers proxy_auth REQUIRED
acl groupmembers external nt_group ProxyAccess
#  TAG: http_access

#http_access allow ncsa_users
http_access allow benches
#http_access allow lan
#http_access allow localhost
#http_access allow authenticated
http_access allow domainusers groupmembers
http_access deny all


Cache.log debug output from wbinfo_group.pl:
(ssl is the domain name, not the user name - hence the ERR)

Got ssl ProxyAccess from squid
User:  -ssl-
Group: -ProxyAccess-
SID:   -S-1-5-21-1343024091-2111687655-854245398-1124 Domain Group (2)-
GID:   -10002-
Sending ERR to squid


Thanks for reading,

Neil

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux