Hi,
I have the following problem with an external acl: The Squid server is configured to authenticate users from AD (Negotiate and NTLM auth both work fine).
The problem I have is with an external acl to check group permissions:
external_acl_type AD-Groups ttl=10 children=60 %LOGIN /usr/lib/squid3/wbinfo_group.pl
Now, debugging the wbinfo_group.pl I can see that:
Got USER_at_MY.DOMAIN AD_GROUP from squid
Usuario: USER_at_MY.DOMAIN
User: - USER_at_MY.DOMAIN-
Group: -AD_GROUP-
SID: -S-1-5-21-1472344799-869232178-1847928074-74927-
GID: -10081-
Could not get groups for user USER_at_MY.DOMAIN
Sending ERR to squid
It correctly gives OK if the user is just the USER, but why is Squid passing the user in this format USER_at_MY.DOMAIN? I understand it should strip the domain part off(?)... Wbinfo -t, wbinfo -u, wbinfo -g all work fine. wbinfo -r works too, if the user is given in a correct format (USER or DOMAIN\\USER).
smb.conf:
[global]
interfaces = 127.0.0.1/8 eth0
workgroup = DOMAIN
netbios name = squid
local master = no
realm = MY.DOMAIN
security = ads
encrypt passwords = yes
password server = dc1.my.domain, dc2.my.domain, *
load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
client use spnego = yes
debug level = 2
squid.conf (just the auth lines):
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -s GSS_C_NO_NAME
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN
Squid version 3.1.6.
Regards,
Tuukka
Received on Thu Jan 03 2013 - 17:50:33 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 04 2013 - 12:00:03 MST