What does the following commands return? wbinfo --user-domgroups S-1-5-21-1735149609-2005929907-911163043-2553 wbinfo --user-sids S-1-5-21-1735149609-2005929907-911163043-2553 Is there anything special about your membership in group3 which is different from the oter groups? tis 2009-09-15 klockan 10:05 -0400 skrev Nick Duda: > I'll try this with Squid , but calling it directly and supplying "username group" gives mixed results. The following is my username, including groups that I am part of. I am part of them all. Some give error , some say ok. > > > nduda group1 > Got nduda group2 from squid > User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553) > Group: -group1-(S-1-5-21-1735149609-2005929907-911163043-3628) > Sending OK to squid > OK > > nduda group2 > Got nduda group2 from squid > User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553) > Group: -group2-(S-1-5-21-1735149609-2005929907-911163043-2614) > Sending OK to squid > OK > > nduda group3 > Got nduda group3 from squid > User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553) > Group: -group3-(S-1-5-21-1735149609-2005929907-911163043-7230) > Sending ERR to squid > ERR > > nduda group4 > Got nduda group4 from squid > User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553) > Group: -group4-(S-1-5-21-1735149609-2005929907-911163043-14421) > Sending OK to squid > OK > > > > > -----Original Message----- > From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] > Sent: Monday, September 14, 2009 4:55 PM > To: Nick Duda > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: RE: Deny access to particular AD group on reverse setup > > Odd.. > > can you try the attached script? It uses an alternative and more direct way of verifying group memberships. > > Regards > Henrik > > > mån 2009-09-14 klockan 11:01 -0400 skrev Nick Duda: > > Here is some more information: > > > > If I call wbinfo_group (debug) from command line and supply my username (nduda) and a group I am part of (infosec) I get: > > > > # /usr/local/squid/libexec/wbinfo_group.pl -d Debugging mode ON. > > nduda infosec > > Got nduda infosec from squid > > User: -nduda- > > Group: -infosec- > > SID: -S-1-5-21-1735149609-2005929907-911163043-7230- > > GID: -10000- > > Sending ERR to squid > > ERR > > > > If I call my username and a group I am not part of (marketing): > > > > nduda marketing > > Got nduda marketing from squid > > Could not lookup name marketing > > Could not convert sid to gid > > User: -nduda- > > Group: -marketing- > > SID: -- > > GID: -- > > Sending ERR to squid > > ERR > > > > > > > > Here is what squid.conf looks like. "noproxyuse" is a group in AD that people are added to so they cant use the proxy. > > > > # Basic authentication > > auth_param basic program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-basic auth_param basic children 5 > > auth_param basic realm Outlook Web Access auth_param basic > > credentialsttl 2 hours > > > > external_acl_type nt_group ttl=5 children=5 %LOGIN > > /usr/local/squid/libexec/wbinfo_group.pl -d > > > > acl restrictedusers external nt_group noproxyuse acl Auth proxy_auth > > REQUIRED > > > > http_access deny Auth restrictedusers > > http_access allow Auth > > http_access deny all > > > > > > Here is a cache.log when I, "nduda", try to use the proxy. I put myself in the "noproxyuse" group, and get : > > > > [2009/09/14 10:40:51, 3] utils/ntlm_auth.c:check_plaintext_auth(298) > > NT_STATUS_OK: Success (0x0) > > Got nduda noproxyuse from squid > > User: -nduda- > > Group: -noproxyuse- > > SID: -S-1-5-21-1735149609-2005929907-911163043-7230- > > GID: -10000- > > Sending ERR to squid > > > > I get the info page (which is good), but why am I getting " Sending ERR to squid": > > > > Access Denied. > > > > Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. > > > > > > If I remove myself from that group, and try again , I get: > > > > [2009/09/14 10:47:54, 3] utils/ntlm_auth.c:check_plaintext_auth(298) > > NT_STATUS_OK: Success (0x0) > > Got nduda noproxyuse from squid > > Could not lookup name noproxyuse > > Could not convert sid to gid > > User: -nduda- > > Group: -noproxyuse- > > SID: -- > > GID: -- > > Sending ERR to squid > > > > And I still get the "Access Denied" page. > > > > > > > > > > > > > > -----Original Message----- > > From: Nick Duda > > Sent: Monday, September 14, 2009 10:16 AM > > To: 'Henrik Nordstrom' > > Cc: squid-users@xxxxxxxxxxxxxxx > > Subject: RE: Deny access to particular AD group on > > reverse setup > > > > Do I need to compile something into squid for this? Here is what I get > > with I use debug on wbinfo_group > > > > > > [2009/09/14 09:54:17, 3] utils/ntlm_auth.c:check_plaintext_auth(298) > > NT_STATUS_OK: Success (0x0) > > Got jdoe noproxyuse from squid > > Could not lookup name noproxyuse > > Could not convert sid to gid > > User: -jdoe- > > Group: -noproxyuse- > > SID: -- > > GID: -- > > Sending ERR to squid > > > > > > > > > > -----Original Message----- > > From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] > > Sent: Friday, September 11, 2009 4:39 PM > > To: Nick Duda > > Cc: squid-users@xxxxxxxxxxxxxxx > > Subject: Re: Deny access to particular AD group on > > reverse setup > > > > fre 2009-09-11 klockan 12:51 -0400 skrev Nick Duda: > > > > > How can I configure squid to allow access to all users and block users in a certain AD group? > > > > See the wbinfo_group helper. (external_acl_type) > > > > Regards > > Henrik > >
