Re: [squid-users] Squid 2.6.9 ntlm_auth AD Group checking no longer works.

From: Adrian Chadd <[email protected]>
Date: Sat, 24 Feb 2007 05:45:13 +0800

On Fri, Feb 23, 2007, David Whitehead wrote:
>
>
> Sort of new to mailing lists but here goes...
>
> Been using Squid for two year to regulate corporate web access based on
> Active Directory group membership.
> Up until Monday (after a portupgrade on FreeBSD 6.1) it's been working
> PERFECTLY. Samba and windbindd have been working flawlessly. The current
> squid.conf is as follows (Any clues as to what's wrong would be MOST
> helpful as I've been pulling my hair out over this for five days now):

Ignoring the fact it could be your config, you haven't given enough information
as to how it does/doesn't work.

The first thing to try is 'wbinfo -t' and see if your Winbind is able to
successfully communicate to the AD.

The next thing to try is 'wbinfo -u' and 'wbinfo -g' to see whether your
Winbind has access to the user/group lists.

The next thing is to check for permissions. I know the latest Winbind/Samba
combo is even more anal about the permissions of the winbindd_privileged
directory (holding the UNIX socket which winbindd listens on) and this might
interfere with stuff. Make sure Squid runs in the right group too.
You're running Squid as squid:squid which I know won't work out of the box
with Ubuntu and its samba/winbind - Winbind really wants that pipe directory
to be chown root:root, chmod 750 and woe be if you change it. I have to run
squid as squid:root to get it to work right.

Next would be the contents of your cache.log - what are the ntlm_auth helpers
logging?

Adrian

>
> # MONITOR Squid
>
> hierarchy_stoplist cgi-bin ?
>
> http_port 3128
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> cache_dir ufs /usr/local/etc/squid/cache 10000 10 10
>
> cache_access_log /usr/local/etc/squid/log/access.log
>
> cache_store_log /usr/local/etc/squid/log/store.log
>
> pid_filename /usr/local/etc/squid/log/squid.pid
>
> debug_options ALL,1
>
> redirect_children 5
>
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> # auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> # auth_param ntlm max_challenge_reuses 0
> # auth_param ntlm max_challenge_lifetime 2 minute
> # external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
> /usr/local/libexec/squid/wbinfo_group.pl
>
> # TEST
> external_acl_type nt_group ttl=0 children=20 %LOGIN
> /usr/local/libexec/squid/wbinfo_group.pl
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl AuthorizedUsers proxy_auth REQUIRED
> acl regularusers external nt_group Browser-Users
> acl allowedurls dstdomain
> "/usr/local/etc/squid/restrictedusers_allowedurls"
> acl restrictedusers external nt_group Restricted-Browser-Use
> acl ALWIZARD dst 65.163.6.109-65.163.6.109/255.255.255.255
> 65.163.6.110-65.163.6.110/255.255.255.255
> acl blockurls dstdomain "/usr/local/etc/squid/blockurls"
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow regularusers
> http_access deny !SSL_ports !Safe_ports !CONNECT !ALWIZARD
> http_access deny all
>
> http_reply_access allow all
>
> icp_access allow manager localhost AuthorizedUsers regularusers
> restrictedusers
>
> cache_effective_user squid
>
> cache_effective_group squid
>
> coredump_dir /usr/local/etc/squid/cache
>
> # redirect_program /usr/local/libexec/squid_redirect

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
Received on Fri Feb 23 2007 - 14:37:31 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST