Re: acl proxy_auth problem

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Georg Roelli wrote:
> ----------------------------------------
> > Date: Thu, 3 Dec 2009 10:36:10 +1300
> > From: squid3@xxxxxxxxxxxxx
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject: Re:  acl proxy_auth problem
> >
> > On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli 
> > wrote:
> > > Hello
> > >
> > > My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
> > >
> > > I am looking to find a way to check with an acl if a user is member of a
> > > specific ad-group. On my Squid Proxy Server, I have successfully set up
> > an
> > > SSO authentication with the active directory.
> > > This works fine. Among other things:
> > >
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-ntlmssp
> > > --require-membership-of="Domäne\\AD-GroupeA"
> > >
> > > Now I start with the definition of the acl's. At first I would like to
> > > make a badUrls list which is valid for all users to block some sites.
> > This
> > > list should not be applied to a group of personal computers (host)
> > and/or a
> > > specific AD group.
> > > Here is my approach:
> > >
> > > acl auth proxy_auth REQUIRED
> > > acl badurls url_regex "/data/squid/badurls.txt"
> > > acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt"
> > > acl AllowedGroups proxy_auth -i Domäne/AD-GroupeB
> > >
> > > http_access allow auth AllowedClients
> > > http_access allow auth AllowedGroups
> > > http_access deny badurls
> > > http_access allow auth
> > > http_access deny all
> > >
> > > The acl with the badurls list and the acl for the AllowedClients are
> > > working fine. But with the acl acl AllowedGroups proxy_auth -i
> > > Domäne/AD-GruppeB I have great problems. I don't know how I can make an
> > acl
> > > who check the membership from an AD-Groupe.
> > > I tested many different types of spelling. Unfortunately without
> > success.
> > > How can I make an acl using ntlm_auth authentication? Is there a better
> > and
> > > easier way to do this?
> > >
> > > Thank you for your suggestions.
> > >
> > > Kind regards.
> >
> >
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups
> >
> > Amos
>
> Hello Amos
>  
> Thank you for your note.
>  
> I have try it and after a have modified the lines in
>  
> external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d
> acl inGroupX external testForNTGroup obmg
> http_access allow inGroupX
>  
> I can restart the squid service without problems. Unfortunately the alc does not work.
> In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log:

You means cache.log surely?

>  
> [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>   Got NTLMSSP neg_flags=0xa2088205
> Got wag obmg from squid
> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
> User:  -rog-
> Group: -obmg-
> SID:   -S-1-5-21-986273330-1409306274-1541874228-6339-
> GID:   --
> Sending ERR to squid
>  
> Do you have any other ideas what dies message exactly means?

They means the user "rog" exists but was not a registered member of 
group "obmg".

Look in the registry (I think on the domain controller) for 
"S-1-5-21-986273330-1409306274-1541874228-6339" and see what groups it's 
a member of.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15