RE: [squid-users] acl proxy_auth problem

From: Georg Roelli <roellig_at_hotmail.com>
Date: Thu, 3 Dec 2009 13:31:43 +0100

----------------------------------------
> Date: Thu, 3 Dec 2009 10:36:10 +1300
> From: squid3_at_treenet.co.nz
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] acl proxy_auth problem
>
> On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli
> wrote:
>> Hello
>>
>> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>>
>> I am looking to find a way to check with an acl if a user is member of a
>> specific ad-group. On my Squid Proxy Server, I have successfully set up
> an
>> SSO authentication with the active directory.
>> This works fine. Among other things:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> --require-membership-of="Domne\\AD-GroupeA"
>>
>> Now I start with the definition of the acl's. At first I would like to
>> make a badUrls list which is valid for all users to block some sites.
> This
>> list should not be applied to a group of personal computers (host)
> and/or a
>> specific AD group.
>> Here is my approach:
>>
>> acl auth proxy_auth REQUIRED
>> acl badurls url_regex "/data/squid/badurls.txt"
>> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt"
>> acl AllowedGroups proxy_auth -i Domne/AD-GroupeB
>>
>> http_access allow auth AllowedClients
>> http_access allow auth AllowedGroups
>> http_access deny badurls
>> http_access allow auth
>> http_access deny all
>>
>> The acl with the badurls list and the acl for the AllowedClients are
>> working fine. But with the acl acl AllowedGroups proxy_auth -i
>> Domne/AD-GruppeB I have great problems. I don't know how I can make an
> acl
>> who check the membership from an AD-Groupe.
>> I tested many different types of spelling. Unfortunately without
> success.
>> How can I make an acl using ntlm_auth authentication? Is there a better
> and
>> easier way to do this?
>>
>> Thank you for your suggestions.
>>
>> Kind regards.
>>
>
>
>
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups
>
> Amos

Hello Amos
 
Thank you for your note.
 
I have try it and after a have modified the lines in
 
external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d
acl inGroupX external testForNTGroup obmg
http_access allow inGroupX
 
I can restart the squid service without problems. Unfortunately the alc does not work.
In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log:
 
[2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2088205
Got wag obmg from squid
Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
User: -rog-
Group: -obmg-
SID: -S-1-5-21-986273330-1409306274-1541874228-6339-
GID: --
Sending ERR to squid
 
Do you have any other ideas what dies message exactly means?
 
Thanks in advance
G.
                                                
_________________________________________________________________
Samichlaus du liebe Maa, hesch dis Hotmail ht scho gha? Gratis Geschenk runterladen!
http://www.microsoft.com/switzerland/windows/de/windowslive/hotmail_bl1/hotmail_bl1.aspx
Received on Thu Dec 03 2009 - 12:31:50 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST