RE: [squid-users] Deny access to particular AD group on reverse setup

Odd..

can you try the attached script? It uses an alternative and more direct
way of verifying group memberships.

Regards
Henrik

mån 2009-09-14 klockan 11:01 -0400 skrev Nick Duda:
> Here is some more information:
>
> If I call wbinfo_group (debug) from command line and supply my username (nduda) and a group I am part of (infosec) I get:
>
> # /usr/local/squid/libexec/wbinfo_group.pl -d
> Debugging mode ON.
> nduda infosec
> Got nduda infosec from squid
> User: -nduda-
> Group: -infosec-
> SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
> GID: -10000-
> Sending ERR to squid
> ERR
>
> If I call my username and a group I am not part of (marketing):
>
> nduda marketing
> Got nduda marketing from squid
> Could not lookup name marketing
> Could not convert sid to gid
> User: -nduda-
> Group: -marketing-
> SID: --
> GID: --
> Sending ERR to squid
> ERR
>
>
>
> Here is what squid.conf looks like. "noproxyuse" is a group in AD that people are added to so they cant use the proxy.
>
> # Basic authentication
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Outlook Web Access
> auth_param basic credentialsttl 2 hours
>
> external_acl_type nt_group ttl=5 children=5 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl -d
>
> acl restrictedusers external nt_group noproxyuse
> acl Auth proxy_auth REQUIRED
>
> http_access deny Auth restrictedusers
> http_access allow Auth
> http_access deny all
>
>
> Here is a cache.log when I, "nduda", try to use the proxy. I put myself in the "noproxyuse" group, and get :
>
> [2009/09/14 10:40:51, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> NT_STATUS_OK: Success (0x0)
> Got nduda noproxyuse from squid
> User: -nduda-
> Group: -noproxyuse-
> SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
> GID: -10000-
> Sending ERR to squid
>
> I get the info page (which is good), but why am I getting " Sending ERR to squid":
>
> Access Denied.
>
> Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
>
>
> If I remove myself from that group, and try again , I get:
>
> [2009/09/14 10:47:54, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> NT_STATUS_OK: Success (0x0)
> Got nduda noproxyuse from squid
> Could not lookup name noproxyuse
> Could not convert sid to gid
> User: -nduda-
> Group: -noproxyuse-
> SID: --
> GID: --
> Sending ERR to squid
>
> And I still get the "Access Denied" page.
>
>
>
>
>
>
> -----Original Message-----
> From: Nick Duda
> Sent: Monday, September 14, 2009 10:16 AM
> To: 'Henrik Nordstrom'
> Cc: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Deny access to particular AD group on reverse setup
>
> Do I need to compile something into squid for this? Here is what I get with I use debug on wbinfo_group
>
>
> [2009/09/14 09:54:17, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> NT_STATUS_OK: Success (0x0)
> Got jdoe noproxyuse from squid
> Could not lookup name noproxyuse
> Could not convert sid to gid
> User: -jdoe-
> Group: -noproxyuse-
> SID: --
> GID: --
> Sending ERR to squid
>
>
>
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Friday, September 11, 2009 4:39 PM
> To: Nick Duda
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Deny access to particular AD group on reverse setup
>
> fre 2009-09-11 klockan 12:51 -0400 skrev Nick Duda:
>
> > How can I configure squid to allow access to all users and block users in a certain AD group?
>
> See the wbinfo_group helper. (external_acl_type)
>
> Regards
> Henrik
>