[squid-users] Domain Admins can't access

From: megs28 <mgrubb_at_evertz.com>
Date: Thu, 29 Jul 2010 09:25:07 -0700 (PDT)

Hello

This is my first post. I've just setup Squid 2.7 STABLE on Ubuntu server
10.4 with NTLM authentication and Winbind. At present, any one who is a
member of the domain admins group are not able to access the proxy
server...they just get a normal "Page cannot be displayed" message in IE,
not even a squid error. When they access a blocked site (login.live.com),
same thing. A coworker previously setup 2.6STABLE on FreeBSD 7 and he had
the same problem. I have a few accounts with domain admin privlidges, but
they all have the same problem. Config is below.

I have tried commenting out the ACL "http_access deny
ad_group_domain_users", which points to a file that just says Domain Users,
but that makes no difference. When I do domain\administrator
domain\internet with wbinfo_group.pl OK is returned....same with my username
(non domain admin). There are no errors in the access.log or cache.log. I
HAVE changed the wbinfo_group.pl as the default one wasn't working...but if
it's returning OK when I run a check I don't understand the issue. If
there's a better way to accomplish this let me know...would like for
Kerberos authentication instead of NTLM to make life easier for my Linux and
MAC users :)

==================

#Setup authentication as NTLM, allowing 20 processes for authentication.
Increase if authentication is slow.
        auth_param ntlm program /usr/lib/squid/ntlm_auth -f domain.com/dc1
        auth_param ntlm program /usr/lib/squid/ntlm_auth -f domain.com/dc2
        auth_param ntlm children 20

# ACLs to allow Server to access itself
        acl all src all
        acl manager proto cache_object
        acl localhost src 127.0.0.1/32
        acl to_localhost dst 127.0.0.0/8

# Force All ACLs to require NTLM authentication
        acl ntlm proxy_auth REQUIRED

# ACLs for permitted ports for proxying
        acl SSL_ports port 443
        acl SSL_ports port 8383 # VMWare Server
        acl SSL_ports port 8444 # Identity Guard
        acl SSL_ports port 4444 # OWA
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 4444 # OWA https
        acl Safe_ports port 8444 # Identity Guard https
        acl Safe_prots port 8383 # VMWare Server https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http

# Script for WinBid group checking. Must have
        external_acl_type ntdom ttl=0 children=20 %LOGIN
/usr/lib/squid/wbinfo_group.pl

#########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING MATCHES AND
NOT CONTINUE###########

# Denies access to blocked websites, ie. Hotmail.
        acl blocked_websites url_regex "/etc/squid/blocked_websites"
        http_access deny blocked_websites

# Allows users in "INTERNET" AD group to access internet through proxy
       acl AD_group_internet external ntdom internet
        http_access allow AD_group_internet

# Denies users in "DOMAIN USERS" AD group from using proxy. Must be a
member of "INTERNET" group to get online
       acl AD_group_domain_users external ntdom
"/etc/squid/ad_group_domain_users"
       http_access deny ad_group_domain_users

# Tell acl method to be CONNECT
        acl CONNECT method CONNECT

# Allow requests to ports
        http_access deny !Safe_ports
        http_access deny CONNECT !SSL_ports

# Allow server to access itself
        http_access allow manager localhost
        http_access deny manager

# Permitted networks for Proxy
        acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
        http_access allow localnet

# Deny all other access
        http_access deny all

#########END RULE ORDER CAREFULNESS###########

# Allow access to Internet Cache Proxy from localnet
        icp_access allow localnet
        icp_access deny all

-- 
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Domain-Admins-can-t-access-tp2306738p2306738.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Thu Jul 29 2010 - 16:25:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:04 MDT