RE: [squid-users] Squid 2.6.9 ntlm_auth AD Group checking no longer works.

From: David Whitehead <[email protected]>
Date: Fri, 23 Feb 2007 13:58:06 -0800

Yeah I'm quite sure that it's in my config... I just can't seem to
figure out what needs to be changed. The config I listed has been in use
for quite some time and had been working perfectly. The first thing that
had to be changed after the "upgrade" of course were the two lines:

# auth_param ntlm max_challenge_reuses 0
# auth_param ntlm max_challenge_lifetime 2 minute

Which of course had to be 'banged out' according to the release notes.
Failure to do so prevented Squid from starting altogether.

Sorry about that... When I say "not working" I mean that it was setup to
only allow members of the (Active Directory) domain group
"Browser-Users" access to the web outside the corporate network. Members
of the (Active Directory) domain group "Restricted-Browser-Use" could
only get to web sites specified within an "acceptable sites" file on the
proxy server. All was well for two years.

Wbinfo -t comes back with "checking the trust secret via RPC calls
succeeded"
Wbinfo -u comes back with all users on the Windows domain
Wbinfo -g comes back with all Groups on the Windows domain.

/usr/local/squid/logs/cache.log is now showing this error:

Could not convert sid S-1-5-21-466765145-1792897056-1845911597-1995 to
gid

For every user that opens a browser (SID of course is different for each
user)

(And forgive me for not being familiar with mailing list etiquette...
This is sort of last ditch effort on my part to get this thing figured
out. I normally use Forums rather than mailing lists. :) )

-----Original Message-----
From: Adrian Chadd [mailto:adrian@creative.net.au]
Sent: Friday, February 23, 2007 1:45 PM
To: David Whitehead
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 2.6.9 ntlm_auth AD Group checking no
longer works.

On Fri, Feb 23, 2007, David Whitehead wrote:
>
>
> Sort of new to mailing lists but here goes...
>
> Been using Squid for two year to regulate corporate web access based
> on Active Directory group membership.
> Up until Monday (after a portupgrade on FreeBSD 6.1) it's been working

> PERFECTLY. Samba and windbindd have been working flawlessly. The
> current squid.conf is as follows (Any clues as to what's wrong would
> be MOST helpful as I've been pulling my hair out over this for five
days now):

Ignoring the fact it could be your config, you haven't given enough
information as to how it does/doesn't work.

The first thing to try is 'wbinfo -t' and see if your Winbind is able to
successfully communicate to the AD.

The next thing to try is 'wbinfo -u' and 'wbinfo -g' to see whether your
Winbind has access to the user/group lists.

The next thing is to check for permissions. I know the latest
Winbind/Samba combo is even more anal about the permissions of the
winbindd_privileged directory (holding the UNIX socket which winbindd
listens on) and this might interfere with stuff. Make sure Squid runs in
the right group too.
You're running Squid as squid:squid which I know won't work out of the
box with Ubuntu and its samba/winbind - Winbind really wants that pipe
directory to be chown root:root, chmod 750 and woe be if you change it.
I have to run squid as squid:root to get it to work right.

Next would be the contents of your cache.log - what are the ntlm_auth
helpers logging?

Adrian

>
> # MONITOR Squid
>
> hierarchy_stoplist cgi-bin ?
>
> http_port 3128
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> cache_dir ufs /usr/local/etc/squid/cache 10000 10 10
>
> cache_access_log /usr/local/etc/squid/log/access.log
>
> cache_store_log /usr/local/etc/squid/log/store.log
>
> pid_filename /usr/local/etc/squid/log/squid.pid
>
> debug_options ALL,1
>
> redirect_children 5
>
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> # auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> # auth_param ntlm max_challenge_reuses 0 # auth_param ntlm
> max_challenge_lifetime 2 minute # external_acl_type nt_group ttl=0
> concurrency=5 %LOGIN /usr/local/libexec/squid/wbinfo_group.pl
>
> # TEST
> external_acl_type nt_group ttl=0 children=20 %LOGIN
> /usr/local/libexec/squid/wbinfo_group.pl
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst
> 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https,
> snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports
> port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports

> port 591 # filemaker acl Safe_ports port 777 # multiling http acl
> CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED acl
> regularusers external nt_group Browser-Users acl allowedurls dstdomain

> "/usr/local/etc/squid/restrictedusers_allowedurls"
> acl restrictedusers external nt_group Restricted-Browser-Use acl
> ALWIZARD dst 65.163.6.109-65.163.6.109/255.255.255.255
> 65.163.6.110-65.163.6.110/255.255.255.255
> acl blockurls dstdomain "/usr/local/etc/squid/blockurls"
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow regularusers
> http_access deny !SSL_ports !Safe_ports !CONNECT !ALWIZARD http_access

> deny all
>
> http_reply_access allow all
>
> icp_access allow manager localhost AuthorizedUsers regularusers
> restrictedusers
>
> cache_effective_user squid
>
> cache_effective_group squid
>
> coredump_dir /usr/local/etc/squid/cache
>
> # redirect_program /usr/local/libexec/squid_redirect

--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid
Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
Received on Fri Feb 23 2007 - 14:58:13 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST