---------------------------------------- > Date: Fri, 4 Dec 2009 12:20:34 +1300 > From: squid3@xxxxxxxxxxxxx > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: acl proxy_auth problem > > Georg Roelli wrote: >> ---------------------------------------- >>> Date: Thu, 3 Dec 2009 10:36:10 +1300 >>> From: squid3@xxxxxxxxxxxxx >>> To: squid-users@xxxxxxxxxxxxxxx >>> Subject: Re: acl proxy_auth problem >>> >>> On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli >>> wrote: >>>> Hello >>>> >>>> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a >>>> >>>> I am looking to find a way to check with an acl if a user is member of a >>>> specific ad-group. On my Squid Proxy Server, I have successfully set up >>> an >>>> SSO authentication with the active directory. >>>> This works fine. Among other things: >>>> >>>> auth_param ntlm program /usr/bin/ntlm_auth >>>> --helper-protocol=squid-2.5-ntlmssp >>>> --require-membership-of="Domäne\\AD-GroupeA" >>>> >>>> Now I start with the definition of the acl's. At first I would like to >>>> make a badUrls list which is valid for all users to block some sites. >>> This >>>> list should not be applied to a group of personal computers (host) >>> and/or a >>>> specific AD group. >>>> Here is my approach: >>>> >>>> acl auth proxy_auth REQUIRED >>>> acl badurls url_regex "/data/squid/badurls.txt" >>>> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt" >>>> acl AllowedGroups proxy_auth -i Domäne/AD-GroupeB >>>> >>>> http_access allow auth AllowedClients >>>> http_access allow auth AllowedGroups >>>> http_access deny badurls >>>> http_access allow auth >>>> http_access deny all >>>> >>>> The acl with the badurls list and the acl for the AllowedClients are >>>> working fine. But with the acl acl AllowedGroups proxy_auth -i >>>> Domäne/AD-GruppeB I have great problems. I don't know how I can make an >>> acl >>>> who check the membership from an AD-Groupe. >>>> I tested many different types of spelling. Unfortunately without >>> success. >>>> How can I make an acl using ntlm_auth authentication? Is there a better >>> and >>>> easier way to do this? >>>> >>>> Thank you for your suggestions. >>>> >>>> Kind regards. >>>> >>> >>> >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups >>> >>> Amos >> >> Hello Amos >> >> Thank you for your note. >> >> I have try it and after a have modified the lines in >> >> external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d >> acl inGroupX external testForNTGroup obmg >> http_access allow inGroupX >> >> I can restart the squid service without problems. Unfortunately the alc does not work. >> In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log: > > You means cache.log surely? > >> >> [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) >> Got NTLMSSP neg_flags=0xa2088205 >> Got wag obmg from squid >> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid >> User: -rog- >> Group: -obmg- >> SID: -S-1-5-21-986273330-1409306274-1541874228-6339- >> GID: -- >> Sending ERR to squid >> >> Do you have any other ideas what dies message exactly means? > > They means the user "rog" exists but was not a registered member of > group "obmg". > > Look in the registry (I think on the domain controller) for > "S-1-5-21-986273330-1409306274-1541874228-6339" and see what groups it's > a member of. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 > Current Beta Squid 3.1.0.15 I’m a little bit confused. I checked in the active directory which object has the SID S-1-5-21-986273330-1409306274-1541874228-6339. It’s the group obmg in my domain. Also, the user rog is a member of the group obmg. When I repeat the test with another domain user, he is member of obmg, I get the same error. I think the problem isn’t the membership of the user rog, it’s the fact, that wbinfo_grou.pl can’t generate a UID from the SID of the group. The error was: Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid I made a few tests: # wbinfo -n obmg S-1-5-21-986273330-1409306274-1541874228-6339 Domain Group (2) # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-6339 Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid With another group I get the results: # wbinfo -n inor S-1-5-21-986273330-1409306274-1541874228-1059 Domain Group (2) # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-1059 10029 When I take the group inor for the acl I get those entries in the cache.log and the access to internet works. [2009/12/04 13:07:34, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088205 Got rog inor from squid User: -rog- Group: -inor- SID: -S-1-5-21-986273330-1409306274-1541874228-1059- GID: -10029- Sending OK to squid So my next question is, why do I get from one group an UID and from the other not? Any ideas? G. _________________________________________________________________ Samichlaus und Weihnachts Fotos: direkt im Messenger mit Freunden austauschen http://www.microsoft.com/switzerland/windows/de/windowslive/products/messenger.aspx?tab=2
