AW: [squid-users] SquidNT - Authentication of groups only works p artly

From: Altrock, Jens <Jens.Altrock@dont-contact.us>
Date: Thu, 24 Mar 2005 14:03:44 +0100

Domain is in mixed mode though.
I added the domain users to the Pre-Windows 2000 compatible access group,
but
that helped nothing though...

-----Ursprüngliche Nachricht-----
Von: Guido Serassio [mailto:guido.serassio@acmeconsulting.it]
Gesendet: Donnerstag, 24. März 2005 13:25
An: Altrock, Jens; squid-users@squid-cache.org
Betreff: RE: [squid-users] SquidNT - Authentication of groups only works
partly

Hi,

Look if on the WBGDOM01 domain the "Pre-Windows 2000 compatible access" is
enabled.

The configuration should be fine.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/

-----Original Message-----
From: Altrock, Jens [mailto:Jens.Altrock@STADT-NW.DE]
Sent: Thu 3/24/2005 11:07 AM
To: 'squid-users@squid-cache.org'
Subject: [squid-users] SquidNT - Authentication of groups only works partly

Hi there!

I set up SquidNT on a Windows 2000 Server, works fine though. I just got a
little problem
regarding authentication of domain groups via Squid.

The scenery:
We got four domains:
STADT-NW (where the proxy is in, Windows NT4 Domain)
VHS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS)
TKS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS)
WBGDOM01 (trusted domain, bidirectional, Windows 2000 Server SP3, ADS)

I check groups via the win23_check_group helper delivered with Squid using
the following
config:

external_acl_type NT_global_group %LOGIN
c:/squid/libexec/win32_check_group.exe -G
auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

acl WWW external NT_global_group WWW
acl admins external NT_global_group Domänen-Admins
acl password proxy_auth REQUIRED

http_access allow password WWW
http_access allow password admins
http_access deny password !WWW !admins

So two groups got access to the Internet: Domänen-Admins (domain admins) and
the
WWW group.
That works so far... for three of the four domains. If I try internet access
via proxy with
a user from STADT-NW, TKS-NW or VHS-NW, it works perfectly. But when trying
a
user from WBGDOM01, it won't work, Squid returns an Access Denied Page.

I tried using the helper from the command line, using domain\\user and group
as parameters,
and it works. The helper returns an OK in that case.
But when looking at the cache.log file when trying to access Squid via
browser with that user,
I see the following error message:

/win32_check_group.exe NetUserGetGroups() failed.'

Anyone can help me with that? I don't think it's a problem with the helper,
for he works in
command line mode though.

Regards,

Jens Altrock
Diplom-Ingenieur (BA)
Stadtverwaltung Neustadt an der Weinstraße
EDV und Organisation
Marktplatz 1
67433 Neustadt an der Weinstraße

Tel. +49 6321 855 330
Fax +49 6321 855 7330
mailto:jens.altrock@stadt-nw.de
http://www.neustadt-weinstrasse.de

###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.

This message has been scanned by F-Secure Anti-Virus.
Received on Thu Mar 24 2005 - 06:04:09 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST