Below is our Squid.conf. We still cannot get external ad users to work on our proxy. cache_peer proxy2.us.xxxxxxxxxx.com parent 3128 0000 default no-query no-digest auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe auth_param ntlm children 40 auth_param ntlm keep_alive on auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G ftp_user squid@xxxxxxxxxxxx acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt" acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt" acl bypass_auth-external dstdomain "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt" acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt" acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt" acl Java browser Java/[0-9] acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt" # Domains accessible to all PC's acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ftp proto FTP acl authproxy proxy_auth REQUIRED acl our_networks src 172.xx.xx.xx/12 acl HEAD method HEAD acl InetAllow external AD_global_group CLW.Squid.Full http_access allow manager localhost http_access allow HEAD http_access allow ftp http_access allow WindowsUpdate http_access allow bypass_auth http_access allow bypass_auth-external http_access allow Approved_Domains http_access allow Java http_access allow Approved_IP http_access allow InetAllow http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny !our_networks On Sun, Apr 18, 2010 at 06:26, Guido Serassio <guido.serassio@xxxxxxxxxxxxxxxxx> wrote: > Hi, > > When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain. > > Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full AD group helper supporting full forest wide group recursion. > Take a look to the included docs for details. > > Regards > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.serassio@xxxxxxxxxxxxxxxxx > WWW: http://www.acmeconsulting.it > > >> -----Messaggio originale----- >> Da: Milan [mailto:compguy030471@xxxxxxxxx] >> Inviato: giovedì 15 aprile 2010 17.17 >> A: squid-users@xxxxxxxxxxxxxxx >> Oggetto: External users from Child AD domain unable to use >> local Squid proxy >> >> We are using Squid on windpow as a proxy and we are having an issue >> when users that come from a child domain to our office do not >> authenticate properly. >> >> Example: our domain is na.myworld.com and users from eu.myworld.com >> come to our office and do not authenticate correctly >> The log of the connection is below. >> >> 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET >> http://www.yahoo.com/ - NONE/- text/html >> 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET >> http://www.yahoo.com/ - NONE/- text/html >> 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET >> http://www.yahoo.com/ eu\vbonafe NONE/- text/html >> 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET >> http://www.yahoo.es/ - NONE/- text/html >> 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET >> http://www.yahoo.es/ - NONE/- text/html >> 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET >> http://www.yahoo.es/ eu\vbonafe NONE/- text/html >> 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET >> http://www.google.com/ - >> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html >> 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET >> http://clients1.google.com/generate_204 - >> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html >> 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET >> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html >> >> We have the below acl for users in the Ad global group >> >> >> external_acl_type AD_global_group ttl=120 %LOGIN >> c:/squid/libexec/mswin_check_ad_group.exe -G >> >> and another acl below that allows full access thru the squid proxy >> using an ad group >> >> acl InetAllow external AD_global_group CLW.Squid.Full >> >> >> any ideas???? >
