RE: [squid-users] acl proxy_auth problem

----------------------------------------
> Date: Fri, 4 Dec 2009 12:20:34 +1300
> From: squid3_at_treenet.co.nz
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] acl proxy_auth problem
>
> Georg Roelli wrote:
>> ----------------------------------------
>>> Date: Thu, 3 Dec 2009 10:36:10 +1300
>>> From: squid3_at_treenet.co.nz
>>> To: squid-users_at_squid-cache.org
>>> Subject: Re: [squid-users] acl proxy_auth problem
>>>
>>> On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli
>>> wrote:
>>>> Hello
>>>>
>>>> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>>>>
>>>> I am looking to find a way to check with an acl if a user is member of a
>>>> specific ad-group. On my Squid Proxy Server, I have successfully set up
>>> an
>>>> SSO authentication with the active directory.
>>>> This works fine. Among other things:
>>>>
>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp
>>>> --require-membership-of="Domäne\\AD-GroupeA"
>>>>
>>>> Now I start with the definition of the acl's. At first I would like to
>>>> make a badUrls list which is valid for all users to block some sites.
>>> This
>>>> list should not be applied to a group of personal computers (host)
>>> and/or a
>>>> specific AD group.
>>>> Here is my approach:
>>>>
>>>> acl auth proxy_auth REQUIRED
>>>> acl badurls url_regex "/data/squid/badurls.txt"
>>>> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt"
>>>> acl AllowedGroups proxy_auth -i Domäne/AD-GroupeB
>>>>
>>>> http_access allow auth AllowedClients
>>>> http_access allow auth AllowedGroups
>>>> http_access deny badurls
>>>> http_access allow auth
>>>> http_access deny all
>>>>
>>>> The acl with the badurls list and the acl for the AllowedClients are
>>>> working fine. But with the acl acl AllowedGroups proxy_auth -i
>>>> Domäne/AD-GruppeB I have great problems. I don't know how I can make an
>>> acl
>>>> who check the membership from an AD-Groupe.
>>>> I tested many different types of spelling. Unfortunately without
>>> success.
>>>> How can I make an acl using ntlm_auth authentication? Is there a better
>>> and
>>>> easier way to do this?
>>>>
>>>> Thank you for your suggestions.
>>>>
>>>> Kind regards.
>>>>
>>>
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups
>>>
>>> Amos
>>
>> Hello Amos
>>
>> Thank you for your note.
>>
>> I have try it and after a have modified the lines in
>>
>> external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d
>> acl inGroupX external testForNTGroup obmg
>> http_access allow inGroupX
>>
>> I can restart the squid service without problems. Unfortunately the alc does not work.
>> In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log:
>
> You means cache.log surely?
>
>>
>> [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>> Got NTLMSSP neg_flags=0xa2088205
>> Got wag obmg from squid
>> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
>> User: -rog-
>> Group: -obmg-
>> SID: -S-1-5-21-986273330-1409306274-1541874228-6339-
>> GID: --
>> Sending ERR to squid
>>
>> Do you have any other ideas what dies message exactly means?
>
> They means the user "rog" exists but was not a registered member of
> group "obmg".
>
> Look in the registry (I think on the domain controller) for
> "S-1-5-21-986273330-1409306274-1541874228-6339" and see what groups it's
> a member of.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
> Current Beta Squid 3.1.0.15
 
I’m a little bit confused.
 
I checked in the active directory which object has the SID S-1-5-21-986273330-1409306274-1541874228-6339. It’s the group obmg in my domain. Also, the user rog is a member of the group obmg. When I repeat the test with another domain user, he is member of obmg, I get the same error.

I think the problem isn’t the membership of the user rog, it’s the fact, that wbinfo_grou.pl can’t generate a UID from the SID of the group.

The error was:
Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid

I made a few tests:

# wbinfo -n obmg
S-1-5-21-986273330-1409306274-1541874228-6339 Domain Group (2)

# wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-6339
Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid

With another group I get the results:

# wbinfo -n inor
S-1-5-21-986273330-1409306274-1541874228-1059 Domain Group (2)

# wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-1059
10029

When I take the group inor for the acl I get those entries in the cache.log and the access to internet works.

[2009/12/04 13:07:34, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088205
Got rog inor from squid
User: -rog-
Group: -inor-
SID: -S-1-5-21-986273330-1409306274-1541874228-1059-
GID: -10029-
Sending OK to squid

So my next question is, why do I get from one group an UID and from the other not? Any ideas?

G.
_________________________________________________________________
Samichlaus und Weihnachts Fotos: direkt im Messenger mit Freunden austauschen
http://www.microsoft.com/switzerland/windows/de/windowslive/products/messenger.aspx?tab=2
Received on Fri Dec 04 2009 - 12:34:20 MST