Re: [squid-users] Domain Admins can't access

From: Scott Horsley <scott.horsley_at_staff.netspace.net.au>
Date: Fri, 30 Jul 2010 10:59:08 +1000

On 30/07/10 2:25 AM, "megs28" <mgrubb_at_evertz.com> wrote:

>
> Hello
>
> This is my first post. I've just setup Squid 2.7 STABLE on Ubuntu server
> 10.4 with NTLM authentication and Winbind. At present, any one who is a
> member of the domain admins group are not able to access the proxy
> server...they just get a normal "Page cannot be displayed" message in IE,
> not even a squid error. When they access a blocked site (login.live.com),
> same thing. A coworker previously setup 2.6STABLE on FreeBSD 7 and he had
> the same problem. I have a few accounts with domain admin privlidges, but
> they all have the same problem. Config is below.
>
> I have tried commenting out the ACL "http_access deny
> ad_group_domain_users", which points to a file that just says Domain Users,
> but that makes no difference. When I do domain\administrator
> domain\internet with wbinfo_group.pl OK is returned....same with my username
> (non domain admin). There are no errors in the access.log or cache.log. I
> HAVE changed the wbinfo_group.pl as the default one wasn't working...but if
> it's returning OK when I run a check I don't understand the issue. If
> there's a better way to accomplish this let me know...would like for
> Kerber <snip>

I think the biggest issue you have is actually highlighted in your config..
You have

> #########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING MATCHES AND
> NOT CONTINUE###########

And that is the important part of all this.

Just observations but here is my outlook on your config.

====
http_access allow AD_group_internet
Would appear that you are trying to check for a user (external helper called
with %LOGIN) without checking the external authenticator "ntlm" anywhere
along the check (I have never used ntlm so this could be wrong).

====
http_access allow AD_group_internet
Is before your safe_port check which means safe_ports are never used, access
can be achieved to every port out there, including mail servers etc.

====
http_access deny ad_group_domain_users
Denies users using %LOGIN which isn't checked first (see my statement above
about ntlm... Never used it)

====
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
http_access allow localnet
Would allow every user on your network (guessing this subnet is your
network) to access the proxy. If a user isn't in your AD server (or your
helper returns the wrong result) and isn't a member of one of your ntdom
groups, they have access to the proxy and can browse without restriction.

===
acl AD_group_internet external ntdom internet
AND
acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users"
seem to call your external helper quite differently, I don't know what your
helper does so I assume either will work.

===
I have included a basic ACL config that should match onto what your trying
to achieve (From what I can see in your config). It's by no means complete
but might clear up some of your issues. I doesn't include your external
helper definitions or basic config entries like auth helpers, safe ports
etc.

Just a heads up. I am taking some wild guesses about what your actual setup
is meant to be doing but the below seems fairly logical.

acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

# Deny bad ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Deny site in the blocked_websites list
acl blocked_websites url_regex "/etc/squid/blocked_websites"
http_access deny blocked_websites

# Allow authenticated users in the INTERNET group on our network access
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl AD_group_internet external ntdom internet # Internet group members
http_access allow localnet ntlm AD_group_internet

# ?? anybody not in "INTERNET" group would be denied after this.
#acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users"
#http_access deny ntlm AD_group_domain_users

http_access deny all

Hopefully this wild bit of guessing will clear up some of the issues you are
seeing and give some feedback into what is actually going wrong. Of course,
if I am reading into what you are doing wrongly, then I am more than happy
to stand corrected on the sideline. :)

Scott

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed.
Please notify the sender immediately by email if you have received this
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation.
Finally, the recipient should check this email and any attachments for
the presence of viruses. The organisation accepts no liability for any
damage caused by any virus transmitted by this email.
Received on Fri Jul 30 2010 - 00:59:15 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:04 MDT