Search squid archive

RE: wbinfo_group.pl receives user and domain in wrong format?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Update: If I change "winbind use default domain = no" the wbinfo_group.pl receives the correct username.

This OK, just that the basic auth users now need to include the domain with their username.

I still would like to know why wbinfo_group.pl receives the username in form of USER@MY.DOMAIN and not as DOMAIN\USER or just USER as I understand it should.

Regards,

Tuukka

-----Original Message-----
From: Laurikainen, Tuukka [mailto:t.laurikainen@xxxxxxxxxxxxxx] 
Sent: Thursday, January 03, 2013 6:50 PM
To: squid-users@xxxxxxxxxxxxxxx
Subject:  wbinfo_group.pl receives user and domain in wrong format?

Hi,

I have the following problem with an external acl: The Squid server is configured to authenticate users from AD (Negotiate and NTLM auth both work fine).
The problem I have is with an external acl to check group permissions:

external_acl_type AD-Groups ttl=10 children=60 %LOGIN /usr/lib/squid3/wbinfo_group.pl

Now, debugging the wbinfo_group.pl I can see that:

Got USER@MY.DOMAIN AD_GROUP from squid
Usuario: USER@MY.DOMAIN
User:  - USER@MY.DOMAIN-
Group: -AD_GROUP-
SID:   -S-1-5-21-1472344799-869232178-1847928074-74927-
GID:   -10081-
Could not get groups for user USER@MY.DOMAIN
Sending ERR to squid

It correctly gives OK if the user is just the USER, but why is Squid passing the user in this format USER@MY.DOMAIN? I understand it should strip the domain part off(?)... Wbinfo -t, wbinfo -u, wbinfo -g all work fine. wbinfo -r works too, if the user is given in a correct format (USER or DOMAIN\\USER).

smb.conf:

[global]
interfaces = 127.0.0.1/8 eth0
workgroup = DOMAIN
netbios name = squid
local master = no
realm = MY.DOMAIN
security = ads
encrypt passwords = yes

password server = dc1.my.domain, dc2.my.domain, *

load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
client use spnego = yes
debug level = 2

squid.conf (just the auth lines):

auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -s GSS_C_NO_NAME
auth_param negotiate keep_alive off

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN

Squid version 3.1.6.

Regards,

Tuukka



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux