Re: AW: AW: Authentication on Active Directory

[Isnard Jaquet <isnardjunior@xxxxxxxxx>]

Ralf,

I've never used squid_ldap_group. No good reason though, I just started
out using wbinfo_group and it worked fine, so I keep on using it to this
day. Never configured kerberos either, so...

Here are the acls and rules I use (sure there are the auth_param before
those):

external_acl_type NT_global_group children=10 %
LOGIN /usr/local/libexec/squid/wbinfo_group.pl

acl autentica_user-proxyauth proxy_auth REQUIRED
acl autentica_grupo-external external NT_global_group internet

http_access allow autentica_user-proxyauth autentica_grupo-external

Try this and tell me if you have difficulties with samba configuration
and we'll work something out if necessary (although there's plenty of
howtos about it).

Regards, 

Isnard


On Tue, 2007-11-27 at 15:09 +0100, Lutz, Ralf wrote:
> Isnard, Thank you for your Tip.
> 
> I changed the entry in squid.conf and the cache worked, but there are similar entries in the cache.log.
> 
> But maybe I´m on the wrong way. Let me explain:
> 
> We want to give Internet Access to users that are member of a Windows AD group. Isn´t it easier to use squid_ldap_group ?
> 
> Regards, Ralf
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Isnard Jaquet [mailto:isnardjunior@xxxxxxxxx] 
> Gesendet: Dienstag, 27. November 2007 14:05
> An: squid-users@xxxxxxxxxxxxxxx
> Betreff: Re: AW:  Authentication on Active Directory
> 
> Ralf,
> 
> Squid 2.6 has changed external_acl_type parameter from concurrency to
> children, so try changing it to:
> 
> external_acl_type www_group ttl=0 children=5 %
> LOGIN /usr/lib/squid/squid_unix_group -g www
> external_acl_type ebay_group ttl=0 children=5 %
> LOGIN /usr/lib/squid/squid_unix_group -g Ebay
> 
> Regards,
> 
> Isnard
> 
> On Tue, 2007-11-27 at 12:31 +0100, Ralf.Lutz@xxxxxxxxxxxxx wrote:
> > @Adrian: Thank you for youre fast answer. Maybe you can help me a bit with the configuration with Kerberos ?
> > 
> > Most steps are working on my system:
> > 
> > - I have a Kerberos ticket
> > - wbinfo -g shows the groups in the AD
> > - getent -g shows the groups in the AD, too
> > 
> > But there´s a problem with the squid configuration:
> > 
> > I have the following entrie in the squid.conf:
> > 
> > external_acl_type www_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/squid_unix_group -g www
> > external_acl_type ebay_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/squid_unix_group -g Ebay
> > 
> > Users in the two groups www and Ebay should go to the internet. This worked on our "old" proxy with squid 2.5 without Kerberos.
> > 
> > If I now start squid and use it as proxy, I get a TCP_DENIED in the access.log and in the cache.log the following entries:
> > 
> > helper: Group does not exist 'Lutz'
> > helper: Group does not exist 'X<AB>^D^H<F2><87>^D^H'
> > helper: Group does not exist '<88>^Wοy<97>^D^Hu<B8>v'
> > helper: Group does not exist '<C9><C3>'
> > helper: Group does not exist '<9C><8D><87>'
> > helper: Group does not exist '<A0>6z'
> > helper: Group does not exist '<E8>^Wο<EC>]u'
> > helper: Group does not exist '<8D><83><E8><FE><FF><FF><89>E<F0><8D><83><E8><FE><FF><FF>)E<F0><C1>}<F0>^B<8B>U
> >                         <B6>'
> > helper: Group does not exist '<81><C3>^?<D7>^P'
> > helper: Group does not exist '_^\ο<8A>^\ο<9A>^\ο<A5>^\ο<B3>^\ο<D3>^\ο<E6>^\ο<F0>^\ο<B3>^^ο<D6>^^ο<F0>^^ο<FF>
> > ^^ο^T^_ο%^_ο;^_οC^_οP^_ο<81>^_ο<A3>^_ο<B8>^_ο<CA>^_ο'
> > helper: Group does not exist '^C'
> > helper: Group does not exist '<9C><8D><87>'
> > helper: Group does not exist ''
> > helper: Group does not exist 'Lutz'
> > helper: Group does not exist 'X<AB>^D^H<F2><87>^D^H'
> > helper: Group does not exist 'x6<97><BF>y<97>^D^Hu<B8>v'
> > helper: Group does not exist '<C9><C3>'
> > helper: Group does not exist '<9C><8D><87>'
> > helper: Group does not exist '<A0>6z'
> > helper: Group does not exist '<D8>6<97><BF><EC>]u'
> > helper: Group does not e<B6>''<8D><83><E8><FE><FF><FF><89>E<F0><8D><83><E8><FE><FF><FF>)E<F0><C1>}<F0>^B<8B>U
> > helper: Group does not exist '<81><C3>^?<D7>^P'
> > helper: Group does not exist '_L<97><BF><8A>L<97><BF><9A>L<97><BF><A5>L<97><BF><B3>L<97><BF><D3>L<97><BF><E6>
> > L<97><BF><F0>L<97><BF><B3>N<97><BF><D6>N<97><BF><F0>N<97><BF><FF>N<97><BF>^TO<97><BF>%O<97><BF>;O<97><BF>CO
> > <97><BF>PO<97><BF><81>O<97><BF><A3>O<97><BF><B8>O<97><BF><CA>O<97><BF>'
> > helper: Group does not exist '^C'
> > helper: Group does not exist '<9C><8D><87>'
> > helper: Group does not exist ''
> > 
> > Have you an idea ?
>