Re: [squid-users] Having trouble with win32_check_group (SquidNT) from Serassio Guido on 2004-12-23 (squid-users)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Fri, 24 Dec 2004 00:23:47 +0100

Hi,

At 00.07 24/12/2004, Euan Holton wrote:

>Thank you very much for your reply!
>
>
>In their previous message, Serassio Guido wrote
>>Hi,
>>
>>At 22.51 23/12/2004, Euan Holton wrote:
>>>......
>>>
>>>Is there something I'm missing? I find it puzzling that the helper is
>>>failing given theoretically the same input as provided to it on a command line.
>>
>>Basically it seems all correct.
>
>Phew, I still can RTFM!
>
>>The only difference between your manual test and the squid environment is
>>that squid service runs as LocalSystem account (SYSTEM).
>
>Does it have to run as SYSTEM account, or will it be able to run happily
>as an Administrator? And do you think it'll make a difference?

It does. Scope of SYSTEM account is local to the machine, but the use of a
domain user can be dangerous on the security side.
Just for test, put the eholton in the local Administrators group and set
SquidNT service to logon as eholton and see what happens.

>>Do you are using Active Directory ? If so, there are some any special
>>permission on OU containing eholton user account ? And "Pre Windows 2000
>>compatibility" is enabled on your AD ?
>
>Yes, AD is in use. I did toy briefly with using LDAP based group helpers,
>but I have yet to learn a great deal about LDAP / AD and I was really
>unsure about to configure the search for our specific arrangement.
>
>As far as I know there are no unusual permissions for the OU the eholton
>account is in; I am not sure about that though, and can check when I'm in
>work tomorrow morning (I subscribe to the Squid mailing lists there too).
>
>I'll have to check that setting - and whether it's a per-person or more
>global setting.

Check this on your AD:

If the "Pre-Windows 2000 Compatible Access" is applied to the eholton user
account container with the same advanced ACL of the root of your AD domain.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Thu Dec 23 2004 - 16:24:23 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:03 MST