On Fri, Feb 23, 2007, David Whitehead wrote: > > > Sort of new to mailing lists but here goes... > > Been using Squid for two year to regulate corporate web access based on > Active Directory group membership. > Up until Monday (after a portupgrade on FreeBSD 6.1) it's been working > PERFECTLY. Samba and windbindd have been working flawlessly. The current > squid.conf is as follows (Any clues as to what's wrong would be MOST > helpful as I've been pulling my hair out over this for five days now): Ignoring the fact it could be your config, you haven't given enough information as to how it does/doesn't work. The first thing to try is 'wbinfo -t' and see if your Winbind is able to successfully communicate to the AD. The next thing to try is 'wbinfo -u' and 'wbinfo -g' to see whether your Winbind has access to the user/group lists. The next thing is to check for permissions. I know the latest Winbind/Samba combo is even more anal about the permissions of the winbindd_privileged directory (holding the UNIX socket which winbindd listens on) and this might interfere with stuff. Make sure Squid runs in the right group too. You're running Squid as squid:squid which I know won't work out of the box with Ubuntu and its samba/winbind - Winbind really wants that pipe directory to be chown root:root, chmod 750 and woe be if you change it. I have to run squid as squid:root to get it to work right. Next would be the contents of your cache.log - what are the ntlm_auth helpers logging? Adrian > > # MONITOR Squid > > hierarchy_stoplist cgi-bin ? > > http_port 3128 > > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > > cache_dir ufs /usr/local/etc/squid/cache 10000 10 10 > > cache_access_log /usr/local/etc/squid/log/access.log > > cache_store_log /usr/local/etc/squid/log/store.log > > pid_filename /usr/local/etc/squid/log/squid.pid > > debug_options ALL,1 > > redirect_children 5 > > auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > # auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > # auth_param ntlm max_challenge_reuses 0 > # auth_param ntlm max_challenge_lifetime 2 minute > # external_acl_type nt_group ttl=0 concurrency=5 %LOGIN > /usr/local/libexec/squid/wbinfo_group.pl > > # TEST > external_acl_type nt_group ttl=0 children=20 %LOGIN > /usr/local/libexec/squid/wbinfo_group.pl > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl AuthorizedUsers proxy_auth REQUIRED > acl regularusers external nt_group Browser-Users > acl allowedurls dstdomain > "/usr/local/etc/squid/restrictedusers_allowedurls" > acl restrictedusers external nt_group Restricted-Browser-Use > acl ALWIZARD dst 65.163.6.109-65.163.6.109/255.255.255.255 > 65.163.6.110-65.163.6.110/255.255.255.255 > acl blockurls dstdomain "/usr/local/etc/squid/blockurls" > > http_access allow manager localhost > http_access deny manager > http_access allow regularusers > http_access deny !SSL_ports !Safe_ports !CONNECT !ALWIZARD > http_access deny all > > http_reply_access allow all > > icp_access allow manager localhost AuthorizedUsers regularusers > restrictedusers > > cache_effective_user squid > > cache_effective_group squid > > coredump_dir /usr/local/etc/squid/cache > > # redirect_program /usr/local/libexec/squid_redirect -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
