---------------------------------------- > From: roellig@xxxxxxxxxxx > To: squid-users@xxxxxxxxxxxxxxx > Date: Fri, 4 Dec 2009 13:34:12 +0100 > Subject: RE: acl proxy_auth problem > > > > > ---------------------------------------- >> Date: Fri, 4 Dec 2009 12:20:34 +1300 >> From: squid3@xxxxxxxxxxxxx >> To: squid-users@xxxxxxxxxxxxxxx >> Subject: Re: acl proxy_auth problem >> >> Georg Roelli wrote: >>> ---------------------------------------- >>>> Date: Thu, 3 Dec 2009 10:36:10 +1300 >>>> From: squid3@xxxxxxxxxxxxx >>>> To: squid-users@xxxxxxxxxxxxxxx >>>> Subject: Re: acl proxy_auth problem >>>> >>>> On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli >>>> wrote: >>>>> Hello >>>>> >>>>> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a >>>>> >>>>> I am looking to find a way to check with an acl if a user is member of a >>>>> specific ad-group. On my Squid Proxy Server, I have successfully set up >>>> an >>>>> SSO authentication with the active directory. >>>>> This works fine. Among other things: >>>>> >>>>> auth_param ntlm program /usr/bin/ntlm_auth >>>>> --helper-protocol=squid-2.5-ntlmssp >>>>> --require-membership-of="Domäne\\AD-GroupeA" >>>>> >>>>> Now I start with the definition of the acl's. At first I would like to >>>>> make a badUrls list which is valid for all users to block some sites. >>>> This >>>>> list should not be applied to a group of personal computers (host) >>>> and/or a >>>>> specific AD group. >>>>> Here is my approach: >>>>> >>>>> acl auth proxy_auth REQUIRED >>>>> acl badurls url_regex "/data/squid/badurls.txt" >>>>> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt" >>>>> acl AllowedGroups proxy_auth -i Domäne/AD-GroupeB >>>>> >>>>> http_access allow auth AllowedClients >>>>> http_access allow auth AllowedGroups >>>>> http_access deny badurls >>>>> http_access allow auth >>>>> http_access deny all >>>>> >>>>> The acl with the badurls list and the acl for the AllowedClients are >>>>> working fine. But with the acl acl AllowedGroups proxy_auth -i >>>>> Domäne/AD-GruppeB I have great problems. I don't know how I can make an >>>> acl >>>>> who check the membership from an AD-Groupe. >>>>> I tested many different types of spelling. Unfortunately without >>>> success. >>>>> How can I make an acl using ntlm_auth authentication? Is there a better >>>> and >>>>> easier way to do this? >>>>> >>>>> Thank you for your suggestions. >>>>> >>>>> Kind regards. >>>>> >>>> >>>> >>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups >>>> >>>> Amos >>> >>> Hello Amos >>> >>> Thank you for your note. >>> >>> I have try it and after a have modified the lines in >>> >>> external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d >>> acl inGroupX external testForNTGroup obmg >>> http_access allow inGroupX >>> >>> I can restart the squid service without problems. Unfortunately the alc does not work. >>> In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log: >> >> You means cache.log surely? >> >>> >>> [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) >>> Got NTLMSSP neg_flags=0xa2088205 >>> Got wag obmg from squid >>> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid >>> User: -rog- >>> Group: -obmg- >>> SID: -S-1-5-21-986273330-1409306274-1541874228-6339- >>> GID: -- >>> Sending ERR to squid >>> >>> Do you have any other ideas what dies message exactly means? >> >> They means the user "rog" exists but was not a registered member of >> group "obmg". >> >> Look in the registry (I think on the domain controller) for >> "S-1-5-21-986273330-1409306274-1541874228-6339" and see what groups it's >> a member of. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 >> Current Beta Squid 3.1.0.15 > > I’m a little bit confused. > > I checked in the active directory which object has the SID S-1-5-21-986273330-1409306274-1541874228-6339. It’s the group obmg in my domain. Also, the user rog is a member of the group obmg. When I repeat the test with another domain user, he is member of obmg, I get the same error. > > I think the problem isn’t the membership of the user rog, it’s the fact, that wbinfo_grou.pl can’t generate a UID from the SID of the group. > > The error was: > Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid > > I made a few tests: > > # wbinfo -n obmg > S-1-5-21-986273330-1409306274-1541874228-6339 Domain Group (2) > > # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-6339 > Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid > > With another group I get the results: > > # wbinfo -n inor > S-1-5-21-986273330-1409306274-1541874228-1059 Domain Group (2) > > # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-1059 > 10029 > > When I take the group inor for the acl I get those entries in the cache.log and the access to internet works. > > [2009/12/04 13:07:34, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0xa2088205 > Got rog inor from squid > User: -rog- > Group: -inor- > SID: -S-1-5-21-986273330-1409306274-1541874228-1059- > GID: -10029- > Sending OK to squid > > So my next question is, why do I get from one group an UID and from the other not? Any ideas? > > G. Good morning Has anyone a good idea or a hint for me? G. _________________________________________________________________ Ski-Weltcup: Alle Rennen, alle Resultate und News auf MSN Sport http://sport.ch.msn.com/skialpin/
