[squid-users] Winbind problem

Hi, I know in advance that this question is more of a samba related one than
squid, but there are a lot of winbind users here, so I will throw it at you
anyway. I am still trying to get squid and winbind talking so I can control
access via groups. I found that I get a 'cannot enum groups' error if I
include the domain name. for example, here is 2 attempts using the wb_group
on command line;

I give 'mydomain\\administrator ProxyUsers'
and get.....
/wb_group[2860](wb_check_group.c:343): Got 'mydomain\\administrator
ProxyUsers' from Squid (length: 34).
/wb_group[2860](wb_check_group.c:231): Warning: Can't enum user groups.

I give administrator ProxyUsers
and get.....
/wb_group[2860](wb_check_group.c:343): Got 'administrator ProxyUsers' from
Squid (length: 24).
/wb_group[2860](wb_check_group.c:237): SID:
S-1-5-21-1232230414-721959228-1536833037-513
/wb_group[2860](wb_check_group.c:196): Stripping domain from group name
MYDOMAIN\Domain Users
/wb_group[2860](wb_check_group.c:201): Windows group: Domain Users, Squid
group: ProxyUsers
/wb_group[2860](wb_check_group.c:237): SID:
S-1-5-21-1232230414-721959228-1536833037-512
/wb_group[2860](wb_check_group.c:196): Stripping domain from group name
MYDOMAIN\Domain Admins
/wb_group[2860](wb_check_group.c:201): Windows group: Domain Admins, Squid
group: ProxyUsers

as you can see, leaving out the domain works, but I do need multi domains
working. I have this problem on 2 different boxs.

squid was built with....
./configure --prefix=/usr --enable-delay-pool --enable-snmp
--enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind
--enable-ntlm-auth-helpers="winbind,fakeauth"
--enable-external-acl-helpers=winbind_group

samba built with...

./configure --prefix=/usr --with-winbind --with-winbind-auth-challenge
--with-smbmount --with-pam --with-acl-support

relevant snippit of smb.conf is;

[global]
        workgroup = mydomain
        server string = Samba Server
        log file = /var/log/samba/log.%m
        log level = 4
        max log size = 50
        security = domain
           password server = testserver
         encrypt passwords = yes
         winbind uid = 10000-65000
         winbind gid = 10000-65000
         winbind separator = +

relevant squid.conf bits are;

auth_param ntlm program /usr/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

acl all src 10.0.0.0/255.255.255.0
#http_access allow all

external_acl_type winbind-group %LOGIN /usr/libexec/wb_group -d

acl myProxyUsers external winbind-group ProxyUsers
acl password proxy_auth REQUIRED

http_access allow myProxyUsers
http_access deny all

_______________________________________
This is authenticating against NT4 at the moment, also have same issue
against win2k - the group I am using for testing is ProxyUsers.

Thanks in advance.

Downs MicroSystems Pty Ltd
145 Margaret Street
Toowoomba Qld 4350
Ph. (07) 4639 3344 Fax (07) 4639 3820

Important Disclaimer and Warning

Downs MicroSystems does not represent or warrant that any attached files are
free from computer viruses or other defects. The attached files are
provided, and may only be used, on the basis that the user assumes all
responsibility for any loss, damage or consequences resulting directly or
indirectly from use of the attached files. The liability of Downs
MicroSystems in any event is limited to either the resupply of the attached
files or the cost of having the attached files resupplied.

NOTE: The views expressed by the individual in this message do not
necessarily reflect those of the organisation.

Downs MicroSystems is committed to protecting the privacy of individuals,
and is bound by the principles of the Commonwealth Privacy Act (1988).
Should you wish to view our Privacy Policy, please visit
www.downsmicro.com.au.

The information contained in this message is confidential and may be legally
privileged. The message is intended solely for the addressee(s). If you are
not the intended recipient, you are hereby notified that any use,
dissemination, or reproduction is strictly prohibited and may be unlawful.
If you are not the intended recipient, please contact the sender by return
e-mail and destroy all copies of the original message.
Received on Mon Jul 21 2003 - 15:10:44 MDT