Hi Scott Thanks for the response :) I tried what you suggested, but with that in my squid.conf file I cannot get the service to start. Nothing shows up in /var/log/messages, or cache.log. Any ideas? You are correct with what I'm trying to do. Only people who belong to the "internet" security group in AD should be permitted access to the internet, with the exception of the blacklisted URLs for regular expression matching. By default, everyone else should be denied access. Down the road I will likely start doing whitelists for specific departments so they can only access the sites they require. Megan -----Original Message----- From: Scott Horsley [mailto:scott.horsley@xxxxxxxxxxxxxxxxxxxxx] Sent: Thursday, July 29, 2010 8:59 PM To: Megan Grubb; squid-users@xxxxxxxxxxxxxxx Subject: Re: Domain Admins can't access On 30/07/10 2:25 AM, "megs28" <mgrubb@xxxxxxxxxx> wrote: > > Hello > > This is my first post. I've just setup Squid 2.7 STABLE on Ubuntu server > 10.4 with NTLM authentication and Winbind. At present, any one who is a > member of the domain admins group are not able to access the proxy > server...they just get a normal "Page cannot be displayed" message in IE, > not even a squid error. When they access a blocked site (login.live.com), > same thing. A coworker previously setup 2.6STABLE on FreeBSD 7 and he had > the same problem. I have a few accounts with domain admin privlidges, but > they all have the same problem. Config is below. > > I have tried commenting out the ACL "http_access deny > ad_group_domain_users", which points to a file that just says Domain Users, > but that makes no difference. When I do domain\administrator > domain\internet with wbinfo_group.pl OK is returned....same with my username > (non domain admin). There are no errors in the access.log or cache.log. I > HAVE changed the wbinfo_group.pl as the default one wasn't working...but if > it's returning OK when I run a check I don't understand the issue. If > there's a better way to accomplish this let me know...would like for > Kerber <snip> I think the biggest issue you have is actually highlighted in your config.. You have > #########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING MATCHES AND > NOT CONTINUE########### And that is the important part of all this. Just observations but here is my outlook on your config. ==== http_access allow AD_group_internet Would appear that you are trying to check for a user (external helper called with %LOGIN) without checking the external authenticator "ntlm" anywhere along the check (I have never used ntlm so this could be wrong). ==== http_access allow AD_group_internet Is before your safe_port check which means safe_ports are never used, access can be achieved to every port out there, including mail servers etc. ==== http_access deny ad_group_domain_users Denies users using %LOGIN which isn't checked first (see my statement above about ntlm... Never used it) ==== acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet Would allow every user on your network (guessing this subnet is your network) to access the proxy. If a user isn't in your AD server (or your helper returns the wrong result) and isn't a member of one of your ntdom groups, they have access to the proxy and can browse without restriction. === acl AD_group_internet external ntdom internet AND acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users" seem to call your external helper quite differently, I don't know what your helper does so I assume either will work. === I have included a basic ACL config that should match onto what your trying to achieve (From what I can see in your config). It's by no means complete but might clear up some of your issues. I doesn't include your external helper definitions or basic config entries like auth helpers, safe ports etc. Just a heads up. I am taking some wild guesses about what your actual setup is meant to be doing but the below seems fairly logical. acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager # Deny bad ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Deny site in the blocked_websites list acl blocked_websites url_regex "/etc/squid/blocked_websites" http_access deny blocked_websites # Allow authenticated users in the INTERNET group on our network access acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl AD_group_internet external ntdom internet # Internet group members http_access allow localnet ntlm AD_group_internet # ?? anybody not in "INTERNET" group would be denied after this. #acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users" #http_access deny ntlm AD_group_domain_users http_access deny all Hopefully this wild bit of guessing will clear up some of the issues you are seeing and give some feedback into what is actually going wrong. Of course, if I am reading into what you are doing wrongly, then I am more than happy to stand corrected on the sideline. :) Scott This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email.
