Yeah I'm quite sure that it's in my config... I just can't seem to figure out what needs to be changed. The config I listed has been in use for quite some time and had been working perfectly. The first thing that had to be changed after the "upgrade" of course were the two lines: # auth_param ntlm max_challenge_reuses 0 # auth_param ntlm max_challenge_lifetime 2 minute Which of course had to be 'banged out' according to the release notes. Failure to do so prevented Squid from starting altogether. Sorry about that... When I say "not working" I mean that it was setup to only allow members of the (Active Directory) domain group "Browser-Users" access to the web outside the corporate network. Members of the (Active Directory) domain group "Restricted-Browser-Use" could only get to web sites specified within an "acceptable sites" file on the proxy server. All was well for two years. Wbinfo -t comes back with "checking the trust secret via RPC calls succeeded" Wbinfo -u comes back with all users on the Windows domain Wbinfo -g comes back with all Groups on the Windows domain. /usr/local/squid/logs/cache.log is now showing this error: Could not convert sid S-1-5-21-466765145-1792897056-1845911597-1995 to gid For every user that opens a browser (SID of course is different for each user) (And forgive me for not being familiar with mailing list etiquette... This is sort of last ditch effort on my part to get this thing figured out. I normally use Forums rather than mailing lists. :) ) -----Original Message----- From: Adrian Chadd [mailto:adrian@xxxxxxxxxxxxxxx] Sent: Friday, February 23, 2007 1:45 PM To: David Whitehead Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Squid 2.6.9 ntlm_auth AD Group checking no longer works. On Fri, Feb 23, 2007, David Whitehead wrote: > > > Sort of new to mailing lists but here goes... > > Been using Squid for two year to regulate corporate web access based > on Active Directory group membership. > Up until Monday (after a portupgrade on FreeBSD 6.1) it's been working > PERFECTLY. Samba and windbindd have been working flawlessly. The > current squid.conf is as follows (Any clues as to what's wrong would > be MOST helpful as I've been pulling my hair out over this for five days now): Ignoring the fact it could be your config, you haven't given enough information as to how it does/doesn't work. The first thing to try is 'wbinfo -t' and see if your Winbind is able to successfully communicate to the AD. The next thing to try is 'wbinfo -u' and 'wbinfo -g' to see whether your Winbind has access to the user/group lists. The next thing is to check for permissions. I know the latest Winbind/Samba combo is even more anal about the permissions of the winbindd_privileged directory (holding the UNIX socket which winbindd listens on) and this might interfere with stuff. Make sure Squid runs in the right group too. You're running Squid as squid:squid which I know won't work out of the box with Ubuntu and its samba/winbind - Winbind really wants that pipe directory to be chown root:root, chmod 750 and woe be if you change it. I have to run squid as squid:root to get it to work right. Next would be the contents of your cache.log - what are the ntlm_auth helpers logging? Adrian > > # MONITOR Squid > > hierarchy_stoplist cgi-bin ? > > http_port 3128 > > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > > cache_dir ufs /usr/local/etc/squid/cache 10000 10 10 > > cache_access_log /usr/local/etc/squid/log/access.log > > cache_store_log /usr/local/etc/squid/log/store.log > > pid_filename /usr/local/etc/squid/log/squid.pid > > debug_options ALL,1 > > redirect_children 5 > > auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > # auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > # auth_param ntlm max_challenge_reuses 0 # auth_param ntlm > max_challenge_lifetime 2 minute # external_acl_type nt_group ttl=0 > concurrency=5 %LOGIN /usr/local/libexec/squid/wbinfo_group.pl > > # TEST > external_acl_type nt_group ttl=0 children=20 %LOGIN > /usr/local/libexec/squid/wbinfo_group.pl > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst > 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, > snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports > port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports > port 591 # filemaker acl Safe_ports port 777 # multiling http acl > CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED acl > regularusers external nt_group Browser-Users acl allowedurls dstdomain > "/usr/local/etc/squid/restrictedusers_allowedurls" > acl restrictedusers external nt_group Restricted-Browser-Use acl > ALWIZARD dst 65.163.6.109-65.163.6.109/255.255.255.255 > 65.163.6.110-65.163.6.110/255.255.255.255 > acl blockurls dstdomain "/usr/local/etc/squid/blockurls" > > http_access allow manager localhost > http_access deny manager > http_access allow regularusers > http_access deny !SSL_ports !Safe_ports !CONNECT !ALWIZARD http_access > deny all > > http_reply_access allow all > > icp_access allow manager localhost AuthorizedUsers regularusers > restrictedusers > > cache_effective_user squid > > cache_effective_group squid > > coredump_dir /usr/local/etc/squid/cache > > # redirect_program /usr/local/libexec/squid_redirect -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -
