Hi Folks, i've installed an new SQUID Server for our Holding Company (same ActiveDirectory Forest, but another Domain) and I have an little Problem with it. Here's the Auth and ACL External Config from both Servers (running and newly installed) Running Config (Part): =================================================================================== ### Kerberos auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> auth_param ntlm children 10 auth_param ntlm keep_alive off ### BASIC auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS Name> auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ################################ ### Access Regeldefinitionen ### ################################ acl auth proxy_auth REQUIRED external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,spyware,violence,virusinfected,warez,webmail acl Full external testForNTGroup RZ-PXY-Full acl Standard external testForNTGroup RZ-PXY-Standard acl Blocked external testForNTGroup RZ-PXY-Blocked acl StandardSocial external testForNTGroup RZ-PXY-SocialMedia acl StandardVideo external testForNTGroup RZ-PXY-Videoportale acl StandardAdvanced external testForNTGroup RZ-PXY-StandardAdvanced =================================================================================== Problem Config (same part): =================================================================================== ### Kerberos auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> auth_param ntlm children 10 auth_param ntlm keep_alive off ### BASIC auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS NAME> auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ################################ ### Access Regeldefinitionen ### ################################ acl auth proxy_auth REQUIRED external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,blog,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,social_networks,spyware,violence,virusinfected,warez,webmail external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail acl Full external testForNTGroup pxy-full acl Standard external testForNTGroup pxy-standard acl Blocked external testForNTGroup pxy-blocked acl StandardSocial external testForNTGroup pxy-socialmedia acl StandardVideo external testForNTGroup pxy-videoportale acl StandardAdvanced external testForNTGroup pxy-standardadvanced =================================================================================== The Problem is: If the User Connects via the Hostname to the Proxy Server he lands in de Last "Deny All" ACL because the Proxy Server cannot determine the Users Group Correctly. But if I set the Proxy via the direct IP Address everything is okay. On the running SQUID (first config sniplet) there is no such Problem. Here are some Debug Outputs (same output in the running SQUID): ================================================= wbinfo -t checking the trust secret for domain <DOMAIN-NAME> via RPC calls succeeded echo "<DOMAIN-NAME>\user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl OK echo "user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl OK ================================================= Has anybody an Idea what might be the Problem? I'm really confused about the Situation that it's okay via IP-Address and not okay via DNS Name. The DNS Resolution is in function (fromm any Client) Greetings from Cologne Sven Puschmann
