Hi,
when trying to setup NTLM authentication against an AD controller I ran
into an issue with testing against Windows Group membership.
Here's what works:
- authorizing against AD controller via winbindd and ntlm_auth helper
from samba package
i.e. without group restrictions the authorization works
- testing group membership with wbinfo_auth.pl via the command line:
[root@fw libexec]# ./wbinfo_group.pl
DOMAIN+guest DOMAIN+WebEnabled
ERR
DOMAIN+service DOMAIN+WebEnabled
OK
What does not work is letting squid check the group membership.
Here are the relevant conf settings:
external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl -d
acl WebEnabled external nt_group WebEnabled
acl allowed_users proxy_auth REQUIRED
(...)
http_access allow WebEnabled
http_access allow allowed_users
http_access deny all
What happens in cache.log is (wbinfo_group.pl debug is on) :
[2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa208b207
[2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
Got user=[guest] domain=[DOMAIN] workstation=[WS1] len1=24 len2=24
[2008/10/07 18:30:57, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088205
Got 0 guest2 WebEnabled from squid
Could not convert sid S-xxxx to gid
User: -0-
Group: -guest-
SID: -xxxx
GID: --
Could not get groups for user 0
Sending OK to squid
2008/10/07 18:30:58| helperHandleRead: unexpected reply on channel -1
from nt_group #1 'OK'
Why is squid not able to lookup the groups if wbinfo on the commandline
can? I changed the permissions of the winbindd_privileged directory to
match the squid_effective group.
Any ideas ?
Regards,
Jakob