I have everything setup as documented but its not working. The proxy is joined to the domain, wbinfo -g/-u gives results. Without the --require-membership-of switch If I supply a valid domain users credentials it works. This is running latest build of 2.7. The scenario is this: Reverse proxy sitting on the DMZ It's a reverse proxy for Microsoft Outlook Web Access We only want certain users in AD group(s) to access it. Current config looks like this: # NTLM Authentiation auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="domain\somegroup" auth_param ntlm children 30 # Basic authentication auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="domain\somegroup " auth_param basic children 5 auth_param basic realm Outlook Web Access auth_param basic credentialsttl 2 hours http_port 80 accel vhost https_port 443 accel vhost cert=/usr/local/squid/etc/owa/cert.pem key=/usr/local/squid/etc/owa/server.key acl http_site dstdomain owa.domain.com acl ssl_site dstdomain owa.domain.com acl https_site proto HTTPS cache_peer owa.domain.com parent 443 0 no-query originserver ssl name=owa_ssl sslflags=DONT_VERIFY_PEER cache_peer_access owa_ssl allow ssl_site https_site cache_peer 192.168.1.1 parent 80 0 no-query originserver name=owa_http cache_peer_access owa_http allow http_site acl all src 0.0.0.0/0.0.0.0 acl OWA_Allowed proxy_auth REQUIRED http_access allow OWA_Allowed http_access deny all -----Original Message----- From: Joseph L. Casale [mailto:JCasale@xxxxxxxxxxxxxxxxx] Sent: Tuesday, July 28, 2009 2:05 PM To: Nick Duda; squid-users@xxxxxxxxxxxxxxx Subject: RE: proxyauth for certain active directory users >Sorry for the silly question, I've been using squid to allow access to users >on a domain, but how can I limit access to users only in a certain security >group on the domain. Check the wiki out. Once they are in a group, you specify group access in the ntlm_auth helper something like this: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE+ADGROUP The group syntax should correlate to your winbind separator defined in your smb.conf.
