Re: [squid-users] AD groups / wbinfo_group.pl problem

From: Kevin Blackwell <akblackwel_at_gmail.com>
Date: Tue, 16 Jun 2009 12:43:52 -0500

Jakob,

recently I've been having the same problem. You find a fix?

Kevin

On Tue, Oct 7, 2008 at 11:50 AM, Jakob Curdes<jc_at_info-systems.de> wrote:
> Hi,
>
> when trying to setup NTLM authentication  against an AD controller I ran
> into an issue with testing against Windows Group membership.
>
> Here's what works:
> - authorizing against AD controller via winbindd and ntlm_auth helper from
> samba package
> i.e. without group restrictions the authorization works
>
> - testing group membership with wbinfo_auth.pl via the command line:
>
> [root_at_fw libexec]# ./wbinfo_group.pl
> DOMAIN+guest DOMAIN+WebEnabled
> ERR
> DOMAIN+service DOMAIN+WebEnabled
> OK
>
> What does not work is letting squid check the group membership.
> Here are the relevant conf settings:
>
> external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
> /usr/local/squid/libexec/wbinfo_group.pl -d
> acl WebEnabled  external nt_group WebEnabled
> acl allowed_users proxy_auth REQUIRED
> (...)
> http_access allow WebEnabled
> http_access allow allowed_users
> http_access deny all
>
> What happens in cache.log is (wbinfo_group.pl debug is on) :
> [2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>  Got NTLMSSP neg_flags=0xa208b207
> [2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
>  Got user=[guest] domain=[DOMAIN] workstation=[WS1] len1=24 len2=24
> [2008/10/07 18:30:57, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
>  NTLMSSP Sign/Seal - Initialising with flags:
> [2008/10/07 18:30:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>  Got NTLMSSP neg_flags=0xa2088205
> Got 0 guest2 WebEnabled from squid
> Could not convert sid S-xxxx to gid
> User:  -0-
> Group: -guest-
> SID:   -xxxx
> GID:   --
> Could not get groups for user 0
> Sending OK to squid
> 2008/10/07 18:30:58| helperHandleRead: unexpected reply on channel -1 from
> nt_group #1 'OK'
>
> Why is squid not able to lookup the groups if wbinfo on the commandline can?
> I changed the permissions of the winbindd_privileged directory to match the
> squid_effective group.
>
> Any ideas ?
>
> Regards,
> Jakob
>
Received on Tue Jun 16 2009 - 17:44:00 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT