RE: [squid-users] Deny access to particular AD group on reverse setup

Here is some more information:

If I call wbinfo_group (debug) from command line and supply my username (nduda) and a group I am part of (infosec) I get:

# /usr/local/squid/libexec/wbinfo_group.pl -d
Debugging mode ON.
nduda infosec
Got nduda infosec from squid
User: -nduda-
Group: -infosec-
SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
GID: -10000-
Sending ERR to squid
ERR

If I call my username and a group I am not part of (marketing):

nduda marketing
Got nduda marketing from squid
Could not lookup name marketing
Could not convert sid to gid
User: -nduda-
Group: -marketing-
SID: --
GID: --
Sending ERR to squid
ERR

Here is what squid.conf looks like. "noproxyuse" is a group in AD that people are added to so they cant use the proxy.

# Basic authentication
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Outlook Web Access
auth_param basic credentialsttl 2 hours

external_acl_type nt_group ttl=5 children=5 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl -d

acl restrictedusers external nt_group noproxyuse
acl Auth proxy_auth REQUIRED

http_access deny Auth restrictedusers
http_access allow Auth
http_access deny all

Here is a cache.log when I, "nduda", try to use the proxy. I put myself in the "noproxyuse" group, and get :

[2009/09/14 10:40:51, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
  NT_STATUS_OK: Success (0x0)
Got nduda noproxyuse from squid
User: -nduda-
Group: -noproxyuse-
SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
GID: -10000-
Sending ERR to squid

I get the info page (which is good), but why am I getting " Sending ERR to squid":

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

If I remove myself from that group, and try again , I get:

[2009/09/14 10:47:54, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
  NT_STATUS_OK: Success (0x0)
Got nduda noproxyuse from squid
Could not lookup name noproxyuse
Could not convert sid to gid
User: -nduda-
Group: -noproxyuse-
SID: --
GID: --
Sending ERR to squid

And I still get the "Access Denied" page.

-----Original Message-----
From: Nick Duda
Sent: Monday, September 14, 2009 10:16 AM
To: 'Henrik Nordstrom'
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Deny access to particular AD group on reverse setup

Do I need to compile something into squid for this? Here is what I get with I use debug on wbinfo_group

[2009/09/14 09:54:17, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
  NT_STATUS_OK: Success (0x0)
Got jdoe noproxyuse from squid
Could not lookup name noproxyuse
Could not convert sid to gid
User: -jdoe-
Group: -noproxyuse-
SID: --
GID: --
Sending ERR to squid

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
Sent: Friday, September 11, 2009 4:39 PM
To: Nick Duda
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Deny access to particular AD group on reverse setup

fre 2009-09-11 klockan 12:51 -0400 skrev Nick Duda:

> How can I configure squid to allow access to all users and block users in a certain AD group?

See the wbinfo_group helper. (external_acl_type)

Regards
Henrik
Received on Mon Sep 14 2009 - 15:01:45 MDT