Hi all, (Sorry for my bad English) I'm setting-up SQUID for my work, and I'm having problems with ACL and LDAP : We have 3 domains with approbations working up. I have set-up SQUID to work as Transparent proxy and NTLM authentication. It's working well with my domain1.local, all users are logged without prompted for a login / password. We have 2 types of users : - Users who can access to everything on internet - Users who are restricted to specifics websites, based on a whitelist. This is made by Active Directory groups : If a user belong to the Group Internet_full he has no restriction. But if he belongs to Internet_Limited, then he can only access to the websites which have been specified in my whitelist file. Squid checks the groups with wbinfo_groups.pl It's working great whit my domain1.local The problem I have : The users are well authenticated on my domain2.local and domain3.local, but the filter for the groups doesn't works : All my users from domain2.local and domain3.local are able to access to any websites, even if they are members of Internet_Limited group. If I do a wbinfo –u I get only my users from domain1.local So I have attempted to do a : wbinfo -a domain2\\administrator%password and I get : plaintext password authentication succeeded challenge/response password authentication succeeded After that, I tried wbinfo –sequence and it gets me : Domain2: DISCONNECTED domain3 : DISCONNECTED BUILTIN : 1220623949 SRVPROXY-SQUID : 1220623949 domaine1 : 817325 I think the problem is here, but not sure, because a user of domain2.local is well authenticated on my SQUID server, but can't retrieve his groups. If I do ./wbinfo_group.pl and then type domain1\\Administrator Internet_full, it returns me OK (because Administrator is member of the group Internet_full) If I test the same command with Internet_Limited, it returns me ERR (because Administrator isn't member of Internet_Limited) So it's seems to work with my domain1. But when I try the same command with domain2 or domain3, here what I get : Could not get groups for user domain2\administrator Here a sample of my Squid.conf : auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid AD auth_param basic credentialsttl 2 hours external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl #Recommended minimum configuration: [...] acl CONNECT method CONNECT acl ntlm proxy_auth REQUIRED acl Full_Access external NT_global_group internet_full acl Limited_Access external NT_global_group internet_limited acl whitelist dstdomain "/whitelist" acl localnet proxy_auth REQUIRED src 10.0.0.0/8 http_access allow Full_Access http_access allow whitelist Limited_Access # And finally deny all other access to this proxy http_access deny all I repeat that in spite of group filters does not work for the other 2 domains, authentication works great on the 3 domains ! Hope you can help me :) Thanks in advance !
