RE: [squid-users] acl proxy_auth problem

From: Georg Roelli <roellig_at_hotmail.com>
Date: Mon, 7 Dec 2009 08:25:29 +0100

----------------------------------------
> From: roellig_at_hotmail.com
> To: squid-users_at_squid-cache.org
> Date: Fri, 4 Dec 2009 13:34:12 +0100
> Subject: RE: [squid-users] acl proxy_auth problem
>
>
>
>
> ----------------------------------------
>> Date: Fri, 4 Dec 2009 12:20:34 +1300
>> From: squid3_at_treenet.co.nz
>> To: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] acl proxy_auth problem
>>
>> Georg Roelli wrote:
>>> ----------------------------------------
>>>> Date: Thu, 3 Dec 2009 10:36:10 +1300
>>>> From: squid3_at_treenet.co.nz
>>>> To: squid-users_at_squid-cache.org
>>>> Subject: Re: [squid-users] acl proxy_auth problem
>>>>
>>>> On Wed, 2 Dec 2009 15:15:15 +0100, Georg Roelli
>>>> wrote:
>>>>> Hello
>>>>>
>>>>> My environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a
>>>>>
>>>>> I am looking to find a way to check with an acl if a user is member of a
>>>>> specific ad-group. On my Squid Proxy Server, I have successfully set up
>>>> an
>>>>> SSO authentication with the active directory.
>>>>> This works fine. Among other things:
>>>>>
>>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>>> --helper-protocol=squid-2.5-ntlmssp
>>>>> --require-membership-of="Dom�ne\\AD-GroupeA"
>>>>>
>>>>> Now I start with the definition of the acl's. At first I would like to
>>>>> make a badUrls list which is valid for all users to block some sites.
>>>> This
>>>>> list should not be applied to a group of personal computers (host)
>>>> and/or a
>>>>> specific AD group.
>>>>> Here is my approach:
>>>>>
>>>>> acl auth proxy_auth REQUIRED
>>>>> acl badurls url_regex "/data/squid/badurls.txt"
>>>>> acl AllowedClients srcdom_regex -i "/data/squid/allowed_clients.txt"
>>>>> acl AllowedGroups proxy_auth -i Dom�ne/AD-GroupeB
>>>>>
>>>>> http_access allow auth AllowedClients
>>>>> http_access allow auth AllowedGroups
>>>>> http_access deny badurls
>>>>> http_access allow auth
>>>>> http_access deny all
>>>>>
>>>>> The acl with the badurls list and the acl for the AllowedClients are
>>>>> working fine. But with the acl acl AllowedGroups proxy_auth -i
>>>>> Dom�ne/AD-GruppeB I have great problems. I don't know how I can make an
>>>> acl
>>>>> who check the membership from an AD-Groupe.
>>>>> I tested many different types of spelling. Unfortunately without
>>>> success.
>>>>> How can I make an acl using ntlm_auth authentication? Is there a better
>>>> and
>>>>> easier way to do this?
>>>>>
>>>>> Thank you for your suggestions.
>>>>>
>>>>> Kind regards.
>>>>>
>>>>
>>>>
>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups
>>>>
>>>> Amos
>>>
>>> Hello Amos
>>>
>>> Thank you for your note.
>>>
>>> I have try it and after a have modified the lines in
>>>
>>> external_acl_type testForNTGroup %LOGIN /usr/lib/squid/wbinfo_group.pl -d
>>> acl inGroupX external testForNTGroup obmg
>>> http_access allow inGroupX
>>>
>>> I can restart the squid service without problems. Unfortunately the alc does not work.
>>> In a documentation I have found the -d option for wbinfo_group.pl and now I find these messages in the access.log:
>>
>> You means cache.log surely?
>>
>>>
>>> [2009/12/03 13:18:16, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>>> Got NTLMSSP neg_flags=0xa2088205
>>> Got wag obmg from squid
>>> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
>>> User: -rog-
>>> Group: -obmg-
>>> SID: -S-1-5-21-986273330-1409306274-1541874228-6339-
>>> GID: --
>>> Sending ERR to squid
>>>
>>> Do you have any other ideas what dies message exactly means?
>>
>> They means the user "rog" exists but was not a registered member of
>> group "obmg".
>>
>> Look in the registry (I think on the domain controller) for
>> "S-1-5-21-986273330-1409306274-1541874228-6339" and see what groups it's
>> a member of.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
>> Current Beta Squid 3.1.0.15
>
> I�m a little bit confused.
>
> I checked in the active directory which object has the SID S-1-5-21-986273330-1409306274-1541874228-6339. It�s the group obmg in my domain. Also, the user rog is a member of the group obmg. When I repeat the test with another domain user, he is member of obmg, I get the same error.
>
> I think the problem isn�t the membership of the user rog, it�s the fact, that wbinfo_grou.pl can�t generate a UID from the SID of the group.
>
> The error was:
> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
>
> I made a few tests:
>
> # wbinfo -n obmg
> S-1-5-21-986273330-1409306274-1541874228-6339 Domain Group (2)
>
> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-6339
> Could not convert sid S-1-5-21-986273330-1409306274-1541874228-6339 to gid
>
> With another group I get the results:
>
> # wbinfo -n inor
> S-1-5-21-986273330-1409306274-1541874228-1059 Domain Group (2)
>
> # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-1059
> 10029
>
> When I take the group inor for the acl I get those entries in the cache.log and the access to internet works.
>
> [2009/12/04 13:07:34, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
> Got NTLMSSP neg_flags=0xa2088205
> Got rog inor from squid
> User: -rog-
> Group: -inor-
> SID: -S-1-5-21-986273330-1409306274-1541874228-1059-
> GID: -10029-
> Sending OK to squid
>
> So my next question is, why do I get from one group an UID and from the other not? Any ideas?
>
> G.

Good morning
 
Has anyone a good idea or a hint for me?
 
G.

                                                
_________________________________________________________________
Ski-Weltcup: Alle Rennen, alle Resultate und News auf MSN Sport
http://sport.ch.msn.com/skialpin/
Received on Mon Dec 07 2009 - 07:25:38 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 07 2009 - 12:00:01 MST