Re: [squid-users] SquidNT 2.6 mswin_check_lm_group.exe problem from Guido Serassio on 2006-07-04 (squid-users)

From: Guido Serassio <guido.serassio@dont-contact.us>
Date: Tue, 04 Jul 2006 19:16:32 +0200

Hi,

At 18.28 04/07/2006, Darren Worrall (Eclipse) wrote:

>Hi guys,
>
>I'm having trouble with the mswin_check_lm_group.exe helper program
>under SquidNT 2.6. The relevant portion of my config is below:
>
>=====================================================================
>auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
>auth_param ntlm children 5
>auth_param ntlm use_ntlm_negotiate on
>auth_param ntlm keep_alive on
>auth_param ntlm max_challenge_reuses 0
>auth_param ntlm max_challenge_lifetime 2 minutes
>
>external_acl_type win_domain_group %LOGIN
>c:/squid/libexec/mswin_check_lm_group.exe -G -d
>
>acl localnet proxy_auth REQUIRED src 172.30.0.0/16 172.29.0.0/16
>acl InetAllow external win_domain_group Internet_Users
>http_access allow InetAllow
>======================================================================
>
>
>The NTLM auth stuff is working fine, but whenever I try and make a
>connection now, I get the following in my logs:
>
>
>======================================================================
>/mswin_check_lm_group.exe[376]: Got 'domainname%5cdaz Internet_Users'
>from Squid (length: 29).
>
>/mswin_check_lm_group.exe[376]: Valid_Global_Groups: checking group
>membership of 'domainname\domainname%5cdaz'.
>
>/mswin_check_lm_group.exe[376]: Using '\\DCSERVER' as DC for
>'domainname' local domain.
>
>/mswin_check_lm_group.exe[376]: Using '\\DCSERVER' as DC for
>'domainname' user's domain.
>
>/mswin_check_lm_group.exe NetUserGetGroups() failed.'
>======================================================================
>
>
>It appears that the domain name is being passed twice (second line),
>though I don't know if that's relevant. Any tips?

This is correct, "local domain" is the machine domain, while " user's
domain" is user domain, not always the same ....

Try testing the helper from the command line.

And, "Pre-Windows 2000-compatible Access" is enabled in your domain ?

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Tue Jul 04 2006 - 11:16:40 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT