Hi, When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain. Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full AD group helper supporting full forest wide group recursion. Take a look to the included docs for details. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it > -----Messaggio originale----- > Da: Milan [mailto:compguy030471@xxxxxxxxx] > Inviato: giovedì 15 aprile 2010 17.17 > A: squid-users@xxxxxxxxxxxxxxx > Oggetto: External users from Child AD domain unable to use > local Squid proxy > > We are using Squid on windpow as a proxy and we are having an issue > when users that come from a child domain to our office do not > authenticate properly. > > Example: our domain is na.myworld.com and users from eu.myworld.com > come to our office and do not authenticate correctly > The log of the connection is below. > > 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET > http://www.yahoo.com/ - NONE/- text/html > 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET > http://www.yahoo.com/ - NONE/- text/html > 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET > http://www.yahoo.com/ eu\vbonafe NONE/- text/html > 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET > http://www.yahoo.es/ - NONE/- text/html > 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET > http://www.yahoo.es/ - NONE/- text/html > 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET > http://www.yahoo.es/ eu\vbonafe NONE/- text/html > 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET > http://www.google.com/ - > DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html > 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET > http://clients1.google.com/generate_204 - > DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html > 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET > http://www.google.com/csi? - DIRECT/72.14.204.103 text/html > > We have the below acl for users in the Ad global group > > > external_acl_type AD_global_group ttl=120 %LOGIN > c:/squid/libexec/mswin_check_ad_group.exe -G > > and another acl below that allows full access thru the squid proxy > using an ad group > > acl InetAllow external AD_global_group CLW.Squid.Full > > > any ideas????
