RE: [squid-users] Deny access to particular AD group on reverse setup

I figured it out, I should have noticed this (doh)...group3 was a Distribution group. I'm sure this was documented and I just didn’t see it, but this only works with AD Security groups.

-----Original Message-----
From: Nick Duda
Sent: Tuesday, September 15, 2009 1:32 PM
To: 'Henrik Nordstrom'
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Deny access to particular AD group on reverse setup

Nothing is different. They are all distribution groups, nothing is different.

# wbinfo --user-domgroups S-1-5-21-1735149609-2005929907-911163043-2553
S-1-5-21-1735149609-2005929907-911163043-2553
S-1-5-21-1735149609-2005929907-911163043-6165
S-1-5-21-1735149609-2005929907-911163043-1419
S-1-5-21-1735149609-2005929907-911163043-6164
S-1-5-21-1735149609-2005929907-911163043-2833
S-1-5-21-1735149609-2005929907-911163043-18171
S-1-5-21-1735149609-2005929907-911163043-9143
S-1-5-21-1735149609-2005929907-911163043-513
S-1-5-21-1735149609-2005929907-911163043-3857
S-1-5-21-1735149609-2005929907-911163043-6366
S-1-5-21-1735149609-2005929907-911163043-14031
S-1-5-21-1735149609-2005929907-911163043-19327
S-1-5-21-1735149609-2005929907-911163043-22982
S-1-5-21-1735149609-2005929907-911163043-2523
S-1-5-21-1735149609-2005929907-911163043-19712
S-1-5-21-1735149609-2005929907-911163043-14757
S-1-5-21-1735149609-2005929907-911163043-2544
S-1-5-21-1735149609-2005929907-911163043-22702
S-1-5-21-1735149609-2005929907-911163043-23178
S-1-5-21-1735149609-2005929907-911163043-3628
S-1-5-21-1735149609-2005929907-911163043-14421
S-1-5-21-1735149609-2005929907-911163043-19524
S-1-5-21-1735149609-2005929907-911163043-6502
S-1-5-21-1735149609-2005929907-911163043-23048
S-1-5-21-1735149609-2005929907-911163043-2614
S-1-5-21-1735149609-2005929907-911163043-13047
S-1-5-21-1735149609-2005929907-911163043-22574
S-1-5-21-1735149609-2005929907-911163043-12971
S-1-5-21-1735149609-2005929907-911163043-20920
S-1-5-21-1735149609-2005929907-911163043-8874
S-1-5-21-1735149609-2005929907-911163043-14422
S-1-5-21-1735149609-2005929907-911163043-3605


# wbinfo --user-sids S-1-5-21-1735149609-2005929907-911163043-2553
S-1-5-21-1735149609-2005929907-911163043-2553
S-1-5-21-1735149609-2005929907-911163043-2553
S-1-5-21-1735149609-2005929907-911163043-6165
S-1-5-21-1735149609-2005929907-911163043-1419
S-1-5-21-1735149609-2005929907-911163043-6164
S-1-5-21-1735149609-2005929907-911163043-2833
S-1-5-21-1735149609-2005929907-911163043-18171
S-1-5-21-1735149609-2005929907-911163043-9143
S-1-5-21-1735149609-2005929907-911163043-513
S-1-5-21-1735149609-2005929907-911163043-3857
S-1-5-21-1735149609-2005929907-911163043-6366
S-1-5-21-1735149609-2005929907-911163043-14031
S-1-5-21-1735149609-2005929907-911163043-19327
S-1-5-21-1735149609-2005929907-911163043-22982
S-1-5-21-1735149609-2005929907-911163043-2523
S-1-5-21-1735149609-2005929907-911163043-19712
S-1-5-21-1735149609-2005929907-911163043-14757
S-1-5-21-1735149609-2005929907-911163043-2544
S-1-5-21-1735149609-2005929907-911163043-22702
S-1-5-21-1735149609-2005929907-911163043-23178
S-1-5-21-1735149609-2005929907-911163043-3628
S-1-5-21-1735149609-2005929907-911163043-14421
S-1-5-21-1735149609-2005929907-911163043-19524
S-1-5-21-1735149609-2005929907-911163043-6502
S-1-5-21-1735149609-2005929907-911163043-23048
S-1-5-21-1735149609-2005929907-911163043-2614
S-1-5-21-1735149609-2005929907-911163043-13047
S-1-5-21-1735149609-2005929907-911163043-22574
S-1-5-21-1735149609-2005929907-911163043-12971
S-1-5-21-1735149609-2005929907-911163043-20920
S-1-5-21-1735149609-2005929907-911163043-8874
S-1-5-21-1735149609-2005929907-911163043-14422
S-1-5-21-1735149609-2005929907-911163043-3605
S-1-5-21-1735149609-2005929907-911163043-14414
S-1-5-32-545




-----Original Message-----
From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
Sent: Tuesday, September 15, 2009 1:20 PM
To: Nick Duda
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Deny access to particular AD group on reverse setup

What does the following commands return?

wbinfo --user-domgroups S-1-5-21-1735149609-2005929907-911163043-2553
wbinfo --user-sids S-1-5-21-1735149609-2005929907-911163043-2553

Is there anything special about your membership in group3 which is
different from the oter groups?


tis 2009-09-15 klockan 10:05 -0400 skrev Nick Duda:
> I'll try this with Squid , but calling it directly and supplying "username group" gives mixed results. The following is my username, including groups that I am part of. I am part of them all. Some give error , some say ok.
>
>
> nduda group1
> Got nduda group2 from squid
> User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
> Group: -group1-(S-1-5-21-1735149609-2005929907-911163043-3628)
> Sending OK to squid
> OK
>
> nduda group2
> Got nduda group2 from squid
> User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
> Group: -group2-(S-1-5-21-1735149609-2005929907-911163043-2614)
> Sending OK to squid
> OK
>
> nduda group3
> Got nduda group3 from squid
> User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
> Group: -group3-(S-1-5-21-1735149609-2005929907-911163043-7230)
> Sending ERR to squid
> ERR
>
> nduda group4
> Got nduda group4 from squid
> User: -nduda- (S-1-5-21-1735149609-2005929907-911163043-2553)
> Group: -group4-(S-1-5-21-1735149609-2005929907-911163043-14421)
> Sending OK to squid
> OK
>
>
>
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Monday, September 14, 2009 4:55 PM
> To: Nick Duda
> Cc: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Deny access to particular AD group on reverse setup
>
> Odd..
>
> can you try the attached script? It uses an alternative and more direct way of verifying group memberships.
>
> Regards
> Henrik
>
>
> mån 2009-09-14 klockan 11:01 -0400 skrev Nick Duda:
> > Here is some more information:
> >
> > If I call wbinfo_group (debug) from command line and supply my username (nduda) and a group I am part of (infosec) I get:
> >
> > # /usr/local/squid/libexec/wbinfo_group.pl -d Debugging mode ON.
> > nduda infosec
> > Got nduda infosec from squid
> > User: -nduda-
> > Group: -infosec-
> > SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
> > GID: -10000-
> > Sending ERR to squid
> > ERR
> >
> > If I call my username and a group I am not part of (marketing):
> >
> > nduda marketing
> > Got nduda marketing from squid
> > Could not lookup name marketing
> > Could not convert sid to gid
> > User: -nduda-
> > Group: -marketing-
> > SID: --
> > GID: --
> > Sending ERR to squid
> > ERR
> >
> >
> >
> > Here is what squid.conf looks like. "noproxyuse" is a group in AD that people are added to so they cant use the proxy.
> >
> > # Basic authentication
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic auth_param basic children 5
> > auth_param basic realm Outlook Web Access auth_param basic
> > credentialsttl 2 hours
> >
> > external_acl_type nt_group ttl=5 children=5 %LOGIN
> > /usr/local/squid/libexec/wbinfo_group.pl -d
> >
> > acl restrictedusers external nt_group noproxyuse acl Auth proxy_auth
> > REQUIRED
> >
> > http_access deny Auth restrictedusers
> > http_access allow Auth
> > http_access deny all
> >
> >
> > Here is a cache.log when I, "nduda", try to use the proxy. I put myself in the "noproxyuse" group, and get :
> >
> > [2009/09/14 10:40:51, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> > NT_STATUS_OK: Success (0x0)
> > Got nduda noproxyuse from squid
> > User: -nduda-
> > Group: -noproxyuse-
> > SID: -S-1-5-21-1735149609-2005929907-911163043-7230-
> > GID: -10000-
> > Sending ERR to squid
> >
> > I get the info page (which is good), but why am I getting " Sending ERR to squid":
> >
> > Access Denied.
> >
> > Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
> >
> >
> > If I remove myself from that group, and try again , I get:
> >
> > [2009/09/14 10:47:54, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> > NT_STATUS_OK: Success (0x0)
> > Got nduda noproxyuse from squid
> > Could not lookup name noproxyuse
> > Could not convert sid to gid
> > User: -nduda-
> > Group: -noproxyuse-
> > SID: --
> > GID: --
> > Sending ERR to squid
> >
> > And I still get the "Access Denied" page.
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Nick Duda
> > Sent: Monday, September 14, 2009 10:16 AM
> > To: 'Henrik Nordstrom'
> > Cc: squid-users_at_squid-cache.org
> > Subject: RE: [squid-users] Deny access to particular AD group on
> > reverse setup
> >
> > Do I need to compile something into squid for this? Here is what I get
> > with I use debug on wbinfo_group
> >
> >
> > [2009/09/14 09:54:17, 3] utils/ntlm_auth.c:check_plaintext_auth(298)
> > NT_STATUS_OK: Success (0x0)
> > Got jdoe noproxyuse from squid
> > Could not lookup name noproxyuse
> > Could not convert sid to gid
> > User: -jdoe-
> > Group: -noproxyuse-
> > SID: --
> > GID: --
> > Sending ERR to squid
> >
> >
> >
> >
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> > Sent: Friday, September 11, 2009 4:39 PM
> > To: Nick Duda
> > Cc: squid-users_at_squid-cache.org
> > Subject: Re: [squid-users] Deny access to particular AD group on
> > reverse setup
> >
> > fre 2009-09-11 klockan 12:51 -0400 skrev Nick Duda:
> >
> > > How can I configure squid to allow access to all users and block users in a certain AD group?
> >
> > See the wbinfo_group helper. (external_acl_type)
> >
> > Regards
> > Henrik
> >

Received on Wed Sep 16 2009 - 14:14:53 MDT