RE: [squid-users] Deny access to particular AD group on reverse setup from Nick Duda on 2009-09-15 (squid-users)

From: Nick Duda <nduda_at_VistaPrint.com>
Date: Tue, 15 Sep 2009 10:05:02 -0400

I'll try this with Squid , but calling it directly and supplying "username group" gives mixed results. The following is my username, including groups that I am part of. I am part of them all. Some give error , some say ok.

nduda group1
Got nduda group2 from squid
User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
Group: -group1-(S-1-5-21-1735149609-2005929907-911163043-3628)
Sending OK to squid
OK

nduda group2
Got nduda group2 from squid
User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
Group: -group2-(S-1-5-21-1735149609-2005929907-911163043-2614)
Sending OK to squid
OK

nduda group3
Got nduda group3 from squid
User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
Group: -group3-(S-1-5-21-1735149609-2005929907-911163043-7230)
Sending ERR to squid
ERR

nduda group4
Got nduda group4 from squid
User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
Group: -group4-(S-1-5-21-1735149609-2005929907-911163043-14421)
Sending OK to squid
OK

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
Sent: Monday, September 14, 2009 4:55 PM
To: Nick Duda
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Deny access to particular AD group on reverse setup

Odd..

can you try the attached script? It uses an alternative and more direct way of verifying group memberships.

Regards
Henrik

mån 2009-09-14 klockan 11:01 -0400 skrev Nick Duda:
> Here is some more information:
>
> If I call wbinfo_group (debug) from command line and supply my username (nduda) and a group I am part of (infosec) I get:
>
> # /usr/local/squid/libexec/wbinfo_group.pl -d Debugging mode ON.
> nduda infosec
> Got nduda infosec from squid
> User: -nduda-
> Group: -infosec-
> SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
> GID: -10000-
> Sending ERR to squid
> ERR
>
> If I call my username and a group I am not part of (marketing):
>
> nduda marketing
> Got nduda marketing from squid
> Could not lookup name marketing
> Could not convert sid to gid
> User: -nduda-
> Group: -marketing-
> SID: --
> GID: --
> Sending ERR to squid
> ERR
>
>
>
> Here is what squid.conf looks like. "noproxyuse" is a group in AD that people are added to so they cant use the proxy.
>
> # Basic authentication
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic auth_param basic children 5
> auth_param basic realm Outlook Web Access auth_param basic
> credentialsttl 2 hours
>
> external_acl_type nt_group ttl=5 children=5 %LOGIN
> /usr/local/squid/libexec/wbinfo_group.pl -d
>
> acl restrictedusers external nt_group noproxyuse acl Auth proxy_auth
> REQUIRED
>
> http_access deny Auth restrictedusers
> http_access allow Auth
> http_access deny all
>
>
> Here is a cache.log when I, "nduda", try to use the proxy. I put myself in the "noproxyuse" group, and get :
>
> [2009/09/14 10:40:51, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> NT_STATUS_OK: Success (0x0)
> Got nduda noproxyuse from squid
> User: -nduda-
> Group: -noproxyuse-
> SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
> GID: -10000-
> Sending ERR to squid
>
> I get the info page (which is good), but why am I getting " Sending ERR to squid":
>
> Access Denied.
>
> Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
>
>
> If I remove myself from that group, and try again , I get:
>
> [2009/09/14 10:47:54, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> NT_STATUS_OK: Success (0x0)
> Got nduda noproxyuse from squid
> Could not lookup name noproxyuse
> Could not convert sid to gid
> User: -nduda-
> Group: -noproxyuse-
> SID: --
> GID: --
> Sending ERR to squid
>
> And I still get the "Access Denied" page.
>
>
>
>
>
>
> -----Original Message-----
> From: Nick Duda
> Sent: Monday, September 14, 2009 10:16 AM
> To: 'Henrik Nordstrom'
> Cc: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Deny access to particular AD group on
> reverse setup
>
> Do I need to compile something into squid for this? Here is what I get
> with I use debug on wbinfo_group
>
>
> [2009/09/14 09:54:17, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> NT_STATUS_OK: Success (0x0)
> Got jdoe noproxyuse from squid
> Could not lookup name noproxyuse
> Could not convert sid to gid
> User: -jdoe-
> Group: -noproxyuse-
> SID: --
> GID: --
> Sending ERR to squid
>
>
>
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Friday, September 11, 2009 4:39 PM
> To: Nick Duda
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Deny access to particular AD group on
> reverse setup
>
> fre 2009-09-11 klockan 12:51 -0400 skrev Nick Duda:
>
> > How can I configure squid to allow access to all users and block users in a certain AD group?
>
> See the wbinfo_group helper. (external_acl_type)
>
> Regards
> Henrik
>
Received on Tue Sep 15 2009 - 14:05:06 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 12:00:02 MDT