Here is some more information: If I call wbinfo_group (debug) from command line and supply my username (nduda) and a group I am part of (infosec) I get: # /usr/local/squid/libexec/wbinfo_group.pl -d Debugging mode ON. nduda infosec Got nduda infosec from squid User: -nduda- Group: -infosec- SID: -S-1-5-21-1735149609-2005929907-911163043-7230- GID: -10000- Sending ERR to squid ERR If I call my username and a group I am not part of (marketing): nduda marketing Got nduda marketing from squid Could not lookup name marketing Could not convert sid to gid User: -nduda- Group: -marketing- SID: -- GID: -- Sending ERR to squid ERR Here is what squid.conf looks like. "noproxyuse" is a group in AD that people are added to so they cant use the proxy. # Basic authentication auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Outlook Web Access auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=5 children=5 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl -d acl restrictedusers external nt_group noproxyuse acl Auth proxy_auth REQUIRED http_access deny Auth restrictedusers http_access allow Auth http_access deny all Here is a cache.log when I, "nduda", try to use the proxy. I put myself in the "noproxyuse" group, and get : [2009/09/14 10:40:51, 3] utils/ntlm_auth.c:check_plaintext_auth(298) NT_STATUS_OK: Success (0x0) Got nduda noproxyuse from squid User: -nduda- Group: -noproxyuse- SID: -S-1-5-21-1735149609-2005929907-911163043-7230- GID: -10000- Sending ERR to squid I get the info page (which is good), but why am I getting " Sending ERR to squid": Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. If I remove myself from that group, and try again , I get: [2009/09/14 10:47:54, 3] utils/ntlm_auth.c:check_plaintext_auth(298) NT_STATUS_OK: Success (0x0) Got nduda noproxyuse from squid Could not lookup name noproxyuse Could not convert sid to gid User: -nduda- Group: -noproxyuse- SID: -- GID: -- Sending ERR to squid And I still get the "Access Denied" page. -----Original Message----- From: Nick Duda Sent: Monday, September 14, 2009 10:16 AM To: 'Henrik Nordstrom' Cc: squid-users@xxxxxxxxxxxxxxx Subject: RE: Deny access to particular AD group on reverse setup Do I need to compile something into squid for this? Here is what I get with I use debug on wbinfo_group [2009/09/14 09:54:17, 3] utils/ntlm_auth.c:check_plaintext_auth(298) NT_STATUS_OK: Success (0x0) Got jdoe noproxyuse from squid Could not lookup name noproxyuse Could not convert sid to gid User: -jdoe- Group: -noproxyuse- SID: -- GID: -- Sending ERR to squid -----Original Message----- From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Sent: Friday, September 11, 2009 4:39 PM To: Nick Duda Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Deny access to particular AD group on reverse setup fre 2009-09-11 klockan 12:51 -0400 skrev Nick Duda: > How can I configure squid to allow access to all users and block users in a certain AD group? See the wbinfo_group helper. (external_acl_type) Regards Henrik
