[squid-users] Need help on group authentication on a multi-domain from Arno.STREULI@dont-contact.us on 2005-06-20 (squid-users)

From: <Arno.STREULI@dont-contact.us>
Date: Mon, 20 Jun 2005 11:15:33 +0200

Hi all,
I'm runing squid 2.5Stable 9 on a solaris 8 and Samba 3.0.14a, and I'm
running into a multi-domain system, I have a trust from one server to the
3others domain.

And I have some trouble with the group authentication with NTLM, the
authentication is working fine for any user but when I try to use the
external_helper NT_global_group, it only test the first group on the line
not all !!

here is my config:

# Authentication scheme
## basic auth
auth_param basic program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ba
sic
auth_param basic children 64
auth_param basic credentialsttl 2 hours
auth_param basic realm CAI Internet access control Gen\350ve
## NTLM auth
auth_param ntlm program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntl
mssp
auth_param ntlm children 64
auth_param ntlm max_challenge_lifetime 30 minutes
auth_param ntlm max_challenge_reuses 0

authenticate_cache_garbage_interval 10 minute
authenticate_ttl 10 minute
external_acl_type NT_global_group %LOGIN /opt/squid/libexec/wbinfo_group.pl

acl techuser external NT_global_group D-CH-BI1\SurfeursWebCAICH-T
acl webuser external NT_global_group D-CH-BI1\SurfeursWebCAICH
D-CH-BI1\SurfeursWebCAICH-T

acl cai-auth proxy_auth REQUIRED

http_access deny ftp !techuser
http_access allow cai-auth webuser
http_access deny all

and here is a debug of the wbinfo_group.pl
2005/06/16 15:54:42| storeLateRelease: released 0 objects
Got d-ch-bi1\\bi9yj D-CH-BI1\\SurfeursWebCAICH D-CH-BI1\\SurfeursWebCAICH-T
from squid
User: -d-ch-bi1\bi9yj-
Group: -D-CH-BI1\SurfeursWebCAICH-
SID: -S-1-5-21-907243726-1387878072-1859928627-9560 Domain Group (2)-
GID: -10013-
Sending ERR to squid

I'm a member of the group SurfeursWebCAICH-T, not from the group
SurfeursWebCAICH, but it won't test it.

Anyonw know how I can make this procedure to work ?

thanks for your help if you can !

regards,
Arno Streuli
Crédit Agricole (Suisse) SA
Chemin de Bérée 46-48, ch-1010 Lausanne 10
Tél. +41 58 321.5215 - Fax +41 58 321.5251
http://www.ca-suisse.com

******************************************************************
DISCLAIMER - E-MAIL
-------------------
The information contained in this E-Mail is intended for the named
recipient(s). It may contain certain privileged and confidential
information, or information which is otherwise protected from
disclosure. If you are not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
******************************************************************
Received on Mon Jun 20 2005 - 03:15:40 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT