On Mon, 19 Apr 2010 15:33:09 -0400, Milan <compguy030471@xxxxxxxxx> wrote: > Below is our Squid.conf. We still cannot get external ad users to work > on our proxy. > > cache_peer proxy2.us.xxxxxxxxxx.com parent 3128 0000 default no-query > no-digest > > auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe > auth_param ntlm children 40 > auth_param ntlm keep_alive on > > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > > external_acl_type AD_global_group ttl=120 %LOGIN > c:/squid/libexec/mswin_check_ad_group.exe -G > > ftp_user squid@xxxxxxxxxxxx > > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > > acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt" > > acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt" > acl bypass_auth-external dstdomain > "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt" > > acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt" > acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt" > > acl Java browser Java/[0-9] > > acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt" > > # Domains accessible to all PC's > acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt" > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > acl ftp proto FTP > > acl authproxy proxy_auth REQUIRED > acl our_networks src 172.xx.xx.xx/12 > acl HEAD method HEAD > > acl InetAllow external AD_global_group CLW.Squid.Full > > http_access allow manager localhost > http_access allow HEAD > http_access allow ftp > http_access allow WindowsUpdate > http_access allow bypass_auth > http_access allow bypass_auth-external > http_access allow Approved_Domains > http_access allow Java > http_access allow Approved_IP > http_access allow InetAllow > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny !our_networks Eeek!. Order is important! Before you do anything else. Put those deny lines back FIRST in your order of http_access. Next, the rules for Internet machines to connect to your LAN need to go above the !our_networks rule (and remain below the CONNECT one). That may not solve your auth problems, but it will stop your machine being an open relay proxy. Amos > > On Sun, Apr 18, 2010 at 06:26, Guido Serassio > <guido.serassio@xxxxxxxxxxxxxxxxx> wrote: >> Hi, >> >> When using mswin_check_ad_group.exe 1.x in global mode (-G options), the >> check is done always against a global group placed in the user's domain. >> >> Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full >> AD group helper supporting full forest wide group recursion. >> Take a look to the included docs for details. >> >> Regards >> >> Guido Serassio >> Acme Consulting S.r.l. >> Microsoft Gold Certified Partner >> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY >> Tel. : +39.011.9530135 Fax. : +39.011.9781115 >> Email: guido.serassio@xxxxxxxxxxxxxxxxx >> WWW: http://www.acmeconsulting.it >> >> >>> -----Messaggio originale----- >>> Da: Milan [mailto:compguy030471@xxxxxxxxx] >>> Inviato: giovedì 15 aprile 2010 17.17 >>> A: squid-users@xxxxxxxxxxxxxxx >>> Oggetto: External users from Child AD domain unable to use >>> local Squid proxy >>> >>> We are using Squid on windpow as a proxy and we are having an issue >>> when users that come from a child domain to our office do not >>> authenticate properly. >>> >>> Example: our domain is na.myworld.com and users from eu.myworld.com >>> come to our office and do not authenticate correctly >>> The log of the connection is below. >>> >>> 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET >>> http://www.yahoo.com/ - NONE/- text/html >>> 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET >>> http://www.yahoo.com/ - NONE/- text/html >>> 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET >>> http://www.yahoo.com/ eu\vbonafe NONE/- text/html >>> 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET >>> http://www.yahoo.es/ - NONE/- text/html >>> 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET >>> http://www.yahoo.es/ - NONE/- text/html >>> 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET >>> http://www.yahoo.es/ eu\vbonafe NONE/- text/html >>> 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET >>> http://www.google.com/ - >>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html >>> 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET >>> http://clients1.google.com/generate_204 - >>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html >>> 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET >>> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html >>> >>> We have the below acl for users in the Ad global group >>> >>> >>> external_acl_type AD_global_group ttl=120 %LOGIN >>> c:/squid/libexec/mswin_check_ad_group.exe -G >>> >>> and another acl below that allows full access thru the squid proxy >>> using an ad group >>> >>> acl InetAllow external AD_global_group CLW.Squid.Full >>> >>> >>> any ideas???? >>
