RE: [squid-users] NTLM authentication error when using wb_group from Jairo.Castañeda on 2003-01-16 (squid-users)

From: Jairo.Castañeda <Jairo.Castaneda@dont-contact.us>
Date: Thu, 16 Jan 2003 13:55:05 -0500

Hi,

That's already done. I followed to the letter FAQ's section 23. Right now
authenticated users are allowed to surf the web, users not authenticated get
the popup window asking for the user/password/domain and in my access.log I
get the username/domain what means my traffic is really being authorized.

The problem is when I try to use wb_group... :
if I test the connection I should get something like this (according to a
FAQ I read):
usr/local/squid/libexex/squid/wb_group -d
/wb_group[617](wb_check_group.c:250): External ACL winbindd group helper
build Dec 17 2002, 14:27:05 starting up...
DOMAINNAME\\User GroupName
/wb_group[617](wb_check_group.c:269): Got 'DOMAINNAME\\User GroupName' from
Squid (length: 8192).
/wb_group[617](wb_check_group.c:172): SID:
S-1-5-21-1836190980-1428173729-311576647-513
/wb_group[617](wb_check_group.c:175): Windows group: Domain Users, Squid
group: GroupName
/wb_group[617](wb_check_group.c:172): SID:
S-1-5-21-1836190980-1428173729-311576647-1168
/wb_group[617](wb_check_group.c:175): Windows group: HelpDesk, Squid group:
GroupName
/wb_group[617](wb_check_group.c:172): SID:
S-1-5-21-1836190980-1428173729-311576647-512
/wb_group[617](wb_check_group.c:175): Windows group: Domain Admins, Squid
group: GroupName
/wb_group[617](wb_check_group.c:172): SID:
S-1-5-21-1836190980-1428173729-311576647-1510
/wb_group[617](wb_check_group.c:175): Windows group: HelpDesk, Squid group:
GroupName
OK

instead I get:
/wb_group[617](wb_check_group.c:265): External ACL winbindd group helper
build Dec 17 2002, 14:27:05 starting up...
DOMAINNAME\\User GroupName
/wb_group[617](wb_check_group.c:285): Got 'DOMAINNAME\\User GroupName' from
Squid (length: 8192).
ERR

It seems like there is no communication between my proxy and the PDC????
then How NTLM authentication is working?

Any ideas?

Thanks,

-----Original Message-----
From: DUBOST Gaetan (DSIT-XA/I) [mailto:Gaetan.DUBOST@sncf.fr]
Sent: Jueves, 16 de Enero de 2003 11:37 a.m.
To: Jairo.Castañeda
Subject: RE: [squid-users] NTLM authentication error when using wb_group

Hi,

remember that you need to use winbind and to register your server on your NT
domain, see the FAQ :

http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

-----Message d'origine-----
De : Jairo.Castañeda [mailto:Jairo.Castaneda@siemens.com]
Envoyé : jeudi 16 janvier 2003 17:31
À : 'Mohsin Khan'
Cc : Squid List (E-mail)
Objet : RE: [squid-users] NTLM authentication error when using wb_group

That would be ok if my network were small. However that's not the
case....There are 1400 users so I need to use filters based on NT groups.

-----Original Message-----
From: Mohsin Khan [mailto:aaghaz00@yahoo.com]
Sent: Miércoles, 15 de Enero de 2003 11:04 p.m.
To: Jairo.Castañeda
Subject: Re: [squid-users] NTLM authentication error when using wb_group

A-o-a

Well if you are using NTLM and you want specific users
to surf internet, just put the users names in a file
and make a ACL accordingly.

--- Jairo.Castañeda <Jairo.Castaneda@siemens.com>
wrote:
> I've got a Linux RH 7.2 box running squid 2.5stable1
> with NTLM
> authentication implemented as well which is working
> fine. So far so good...
>
> However, I want to allow web access only to users
> belonging to a NT group
> (called internet). In an earlier e-mail I was told
> to use the wb-group
> external_acl helper which I did so I added the
> following lines to the
> squid.conf file:
>
> -- external_acl_type NT_global_group %LOGIN
> /usr/local/squid/libexec/wb_group
> -- acl ProxyUsers external NT_global_group internet
> -- acl AuthorizedUsers proxy_auth REQUIRED
>
> My rules look like this:
> http_access allow AuthorizedUsers ProxyUsers
> http_access deny all
>
> With this setup every time I tried to surf I get the
> following error:
> "Access Denied.
> Access control configuration prevents your request
> from being allowed at
> this time. Please contact your service provider if
> you feel this is
> incorrect."
>
> From the access.log
> "1042667330.327 10 xxx.xxx.148.xxx
> TCP_DENIED/407 1762 GET
> http://www.cromos.com.co/ - NONE/- text/html
> 1042667330.367 16 xxx.xxx.148.xxx TCP_DENIED/407
> 1770 GET
> http://www.cromos.com.co/ - NONE/- text/html
> 1042667330.394 25 xxx.xxx.148.xxx TCP_DENIED/403
> 1407 GET
> http://www.cromos.com.co/ vebogx101a\castanedaj
> NONE/- text/html"
>
> If I remove "ProxyUsers" from the http_access rule
> my NTLM scheme works
> again.(only authenticated users can surf the web)
>
> What could be missing? Any ideas?
>
> Jairo Castañeda

=====
Regards,
Mohsin Khan
CCNA ( Cisco Certified Network Associate 2.0 )

>>>Happy is the who can smile<<<

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Received on Thu Jan 16 2003 - 11:53:47 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:42 MST