---------------------------------------- > Date: Thu, 3 Dec 2009 10:36:10 +1300 > From: squid3@xxxxxxxxxxxxx > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: acl proxy_auth problem > > On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli > wrote: >> Hello >> >> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a >> >> I am looking to find a way to check with an acl if a user is member of a >> specific ad-group. On my Squid Proxy Server, I have successfully set up > an >> SSO authentication with the active directory. >> This works fine. Among other things: >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> --require-membership-of="Domäne\\AD-GroupeA" >> >> Now I start with the definition of the acl's. At first I would like to >> make a badUrls list which is valid for all users to block some sites. > This >> list should not be applied to a group of personal computers (host) > and/or a >> specific AD group. >> Here is my approach: >> >> acl auth proxy_auth REQUIRED >> acl badurls url_regex "/data/squid/badurls.txt" >> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt" >> acl AllowedGroups proxy_auth -i Domäne/AD-GroupeB >> >> http_access allow auth AllowedClients >> http_access allow auth AllowedGroups >> http_access deny badurls >> http_access allow auth >> http_access deny all >> >> The acl with the badurls list and the acl for the AllowedClients are >> working fine. But with the acl acl AllowedGroups proxy_auth -i >> Domäne/AD-GruppeB I have great problems. I don't know how I can make an > acl >> who check the membership from an AD-Groupe. >> I tested many different types of spelling. Unfortunately without > success. >> How can I make an acl using ntlm_auth authentication? Is there a better > and >> easier way to do this? >> >> Thank you for your suggestions. >> >> Kind regards. >> > > > > http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups > > Amos Hello Amos Thank you for your note. I have try it and after a have modified the lines in external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d acl inGroupX external testForNTGroup obmg http_access allow inGroupX I can restart the squid service without problems. Unfortunately the alc does not work. In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log: [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088205 Got wag obmg from squid Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid User: -rog- Group: -obmg- SID: -S-1-5-21-986273330-1409306274-1541874228-6339- GID: -- Sending ERR to squid Do you have any other ideas what dies message exactly means? Thanks in advance G. _________________________________________________________________ Samichlaus du liebe Maa, hesch dis Hotmail hüt scho gha? Gratis Geschenk runterladen! http://www.microsoft.com/switzerland/windows/de/windowslive/hotmail_bl1/hotmail_bl1.aspx
