Search squid archive

Re: Domain Admins can't access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Scott Horsley wrote:


On 30/07/10 2:25 AM, "megs28" <mgrubb@xxxxxxxxxx> wrote:

Hello

This is my first post.  I've just setup Squid 2.7 STABLE on Ubuntu server
10.4 with NTLM authentication and Winbind.  At present, any one who is a
member of the domain admins group are not able to access the proxy
server...they just get a normal "Page cannot be displayed" message in IE,
not even a squid error.  When they access a blocked site (login.live.com),
same thing.  A coworker previously setup 2.6STABLE on FreeBSD 7 and he had
the same problem.  I have a few accounts with domain admin privlidges, but
they all have the same problem.  Config is below.

I have tried commenting out the ACL "http_access deny
ad_group_domain_users", which points to a file that just says Domain Users,
but that makes no difference.  When I do domain\administrator
domain\internet with wbinfo_group.pl OK is returned....same with my username
(non domain admin).  There are no errors in the access.log or cache.log.  I
HAVE changed the wbinfo_group.pl as the default one wasn't working...but if

So, "megs28", how and why did you change it?
It's more likely that the authentication was failing on your specific setup than that the authentication helper in common use for most of a decade was broken.

If your group names are in fact "domain/internet" and "domain/Domain Users" as your manual test implies then the group names specified in squid.conf for the bundled helper need to be "domain/internet" and "domain/Domain Users"

There are also permission issues with winbind that you need to look at. A manual test needs to be run on the helper with the same exact user account as squid uses for low-privilege operations. If that fails, there is your problem. The squid effective user must be a member of both the group having winbind access (read AND write) privileges. Also a member of the group having proxy cache and operational privileges.
 That means that cache_effective_group cannot be used in your squid.conf.


it's returning OK when I run a check I don't understand the issue.  If
there's a better way to accomplish this let me know...would like for
Kerber <snip>

I think the biggest issue you have is actually highlighted in your config..
You have
#########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING MATCHES AND
NOT CONTINUE###########

And that is the important part of all this.

Just observations but here is my outlook on your config.

====
http_access allow AD_group_internet
Would appear that you are trying to check for a user (external helper called
with %LOGIN) without checking the external authenticator "ntlm" anywhere
along the check (I have never used ntlm so this could be wrong).


The use of %LOGIN makes external ACL challenge for credentials before passing/failing. No problem there unless the release is broken or its used in a fast-access test.

====
http_access allow AD_group_internet
Is before your safe_port check which means safe_ports are never used, access
can be achieved to every port out there, including mail servers etc.

====
http_access deny ad_group_domain_users
Denies users using %LOGIN which isn't checked first (see my statement above
about ntlm... Never used it)

====
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
http_access allow localnet
Would allow every user on your network (guessing this subnet is your
network) to access the proxy. If a user isn't in your AD server (or your
helper returns the wrong result) and isn't a member of one of your ntdom
groups, they have access to the proxy and can browse without restriction.


Exactly. also not that at this point the admins group and any other groups including anonymous and guest have been allowed or denied.

I'd expect anyone on the LAN to be able to enter some valid credentials and get allowed by this rule.


===
acl AD_group_internet external ntdom internet
AND
acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users"
seem to call your external helper quite differently, I don't know what your
helper does so I assume either will work.

Should do. It's an old workaround to squid.conf not dealing well with spaces inside entries.


===
I have included a basic ACL config that should match onto what your trying
to achieve (From what I can see in your config). It's by no means complete
but might clear up some of your issues. I doesn't include your external
helper definitions or basic config entries like auth helpers, safe ports
etc.

Just a heads up. I am taking some wild guesses about what your actual setup
is meant to be doing but the below seems fairly logical.

acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

# Deny bad ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Deny site in the blocked_websites list
acl blocked_websites url_regex "/etc/squid/blocked_websites"
http_access deny blocked_websites

dstdomain, dstdomain :) your CPU will love it.


# Allow authenticated users in the INTERNET group on our network access
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl AD_group_internet external ntdom internet # Internet group members
http_access allow localnet ntlm AD_group_internet

# ?? anybody not in "INTERNET" group would be denied after this.
#acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users"
#http_access deny ntlm AD_group_domain_users

http_access deny all

Hopefully this wild bit of guessing will clear up some of the issues you are
seeing and give some feedback into what is actually going wrong. Of course,
if I am reading into what you are doing wrongly, then I am more than happy
to stand corrected on the sideline. :)


Pretty much exactly what I'd recommend for their config too.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux