[squid-users] AD groups / wbinfo_group.pl problem

From: Jakob Curdes <jc_at_info-systems.de>
Date: Tue, 07 Oct 2008 18:50:38 +0200

Hi,

when trying to setup NTLM authentication against an AD controller I ran
into an issue with testing against Windows Group membership.

Here's what works:
- authorizing against AD controller via winbindd and ntlm_auth helper
from samba package
i.e. without group restrictions the authorization works

- testing group membership with wbinfo_auth.pl via the command line:

[root_at_fw libexec]# ./wbinfo_group.pl
DOMAIN+guest DOMAIN+WebEnabled
ERR
DOMAIN+service DOMAIN+WebEnabled
OK

What does not work is letting squid check the group membership.
Here are the relevant conf settings:

external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl -d
acl WebEnabled external nt_group WebEnabled
acl allowed_users proxy_auth REQUIRED
(...)
http_access allow WebEnabled
http_access allow allowed_users
http_access deny all

What happens in cache.log is (wbinfo_group.pl debug is on) :
[2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa208b207
[2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
  Got user=[guest] domain=[DOMAIN] workstation=[WS1] len1=24 len2=24
[2008/10/07 18:30:57, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2088205
Got 0 guest2 WebEnabled from squid
Could not convert sid S-xxxx to gid
User: -0-
Group: -guest-
SID: -xxxx
GID: --
Could not get groups for user 0
Sending OK to squid
2008/10/07 18:30:58| helperHandleRead: unexpected reply on channel -1
from nt_group #1 'OK'

Why is squid not able to lookup the groups if wbinfo on the commandline
can? I changed the permissions of the winbindd_privileged directory to
match the squid_effective group.

Any ideas ?

Regards,
Jakob
Received on Tue Oct 07 2008 - 16:50:54 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 07 2008 - 12:00:03 MDT