AW: [squid-users] SquidNT - Authentication of groups only works p artly

One more thing:
I tried again with the helper in command line, and now even there
the authentication doesn't work.
Debug mode returns:

/win32_check_group.exe[1292]: Got 'wbgdom01\\testedv WWW' from Squid
(length: 21).

/win32_check_group.exe[1292]: Valid_Global_Groups: checking group membership
of 'wbgdom01\testedv'.

/win32_check_group.exe[1292]: Using '\\NWSH1-PDC' as DC for 'stadt-nw' local
domain.

/win32_check_group.exe[1292]: Using '\\WBGSRV1' as DC for 'wbgdom01' user's
domain.

/win32_check_group.exe NetUserGetGroups() failed.'
/win32_check_group.exe[1292]: Got 'wbgdom01\\testedv Domänen-Admins' from
Squid (length: 32).

/win32_check_group.exe[1292]: Valid_Global_Groups: checking group membership
of 'wbgdom01\testedv'.

/win32_check_group.exe[1292]: Using '\\NWSH1-PDC' as DC for 'stadt-nw' local
domain.

/win32_check_group.exe[1292]: Using '\\WBGSRV1' as DC for 'wbgdom01' user's
domain.

/win32_check_group.exe NetUserGetGroups() failed.'

> -----Ursprüngliche Nachricht-----
> Von: Altrock, Jens [mailto:Jens.Altrock@STADT-NW.DE]
> Gesendet: Donnerstag, 24. März 2005 14:04
> An: 'squid-users@squid-cache.org'
> Betreff: AW: [squid-users] SquidNT - Authentication of groups
> only works
> p artly
>
>
> Domain is in mixed mode though.
> I added the domain users to the Pre-Windows 2000 compatible
> access group,
> but
> that helped nothing though...
>
> -----Ursprüngliche Nachricht-----
> Von: Guido Serassio [mailto:guido.serassio@acmeconsulting.it]
> Gesendet: Donnerstag, 24. März 2005 13:25
> An: Altrock, Jens; squid-users@squid-cache.org
> Betreff: RE: [squid-users] SquidNT - Authentication of groups
> only works
> partly
>
>
>
>
> Hi,
>
> Look if on the WBGDOM01 domain the "Pre-Windows 2000
> compatible access" is
> enabled.
>
> The configuration should be fine.
>
> Regards
>
> Guido
>
> -
> ========================================================
> Guido Serassio
> Acme Consulting S.r.l. - Microsoft Certified Partner
> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135 Fax. : +39.011.9781115
> Email: guido.serassio@acmeconsulting.it
> WWW: http://www.acmeconsulting.it/
>
>
>
> -----Original Message-----
> From: Altrock, Jens [mailto:Jens.Altrock@STADT-NW.DE]
> Sent: Thu 3/24/2005 11:07 AM
> To: 'squid-users@squid-cache.org'
> Subject: [squid-users] SquidNT - Authentication of groups
> only works partly
>
> Hi there!
>
> I set up SquidNT on a Windows 2000 Server, works fine though.
> I just got a
> little problem
> regarding authentication of domain groups via Squid.
>
> The scenery:
> We got four domains:
> STADT-NW (where the proxy is in, Windows NT4 Domain)
> VHS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS)
> TKS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS)
> WBGDOM01 (trusted domain, bidirectional, Windows 2000 Server SP3, ADS)
>
> I check groups via the win23_check_group helper delivered
> with Squid using
> the following
> config:
>
> external_acl_type NT_global_group %LOGIN
> c:/squid/libexec/win32_check_group.exe -G
> auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
> auth_param ntlm children 30
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm use_ntlm_negotiate off
>
> acl WWW external NT_global_group WWW
> acl admins external NT_global_group Domänen-Admins
> acl password proxy_auth REQUIRED
>
> http_access allow password WWW
> http_access allow password admins
> http_access deny password !WWW !admins
>
> So two groups got access to the Internet: Domänen-Admins
> (domain admins) and
> the
> WWW group.
> That works so far... for three of the four domains. If I try
> internet access
> via proxy with
> a user from STADT-NW, TKS-NW or VHS-NW, it works perfectly.
> But when trying
> a
> user from WBGDOM01, it won't work, Squid returns an Access
> Denied Page.
>
> I tried using the helper from the command line, using
> domain\\user and group
> as parameters,
> and it works. The helper returns an OK in that case.
> But when looking at the cache.log file when trying to access Squid via
> browser with that user,
> I see the following error message:
>
> /win32_check_group.exe NetUserGetGroups() failed.'
>
> Anyone can help me with that? I don't think it's a problem
> with the helper,
> for he works in
> command line mode though.
>
> Regards,
>
> Jens Altrock
> Diplom-Ingenieur (BA)
> Stadtverwaltung Neustadt an der Weinstraße
> EDV und Organisation
> Marktplatz 1
> 67433 Neustadt an der Weinstraße
>
> Tel. +49 6321 855 330
> Fax +49 6321 855 7330
> mailto:jens.altrock@stadt-nw.de
> http://www.neustadt-weinstrasse.de
>
> ###########################################
> Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
>
> This message has been scanned by F-Secure Anti-Virus.
> ###########################################
> Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
>
> This message has been scanned by F-Secure Anti-Virus.
>
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.
Received on Thu Mar 24 2005 - 06:33:03 MST