Re: [squid-users] Domain Admins can't access

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 30 Jul 2010 19:37:50 +1200

Scott Horsley wrote:
>
>
> On 30/07/10 2:25 AM, "megs28" <mgrubb_at_evertz.com> wrote:
>
>> Hello
>>
>> This is my first post. I've just setup Squid 2.7 STABLE on Ubuntu server
>> 10.4 with NTLM authentication and Winbind. At present, any one who is a
>> member of the domain admins group are not able to access the proxy
>> server...they just get a normal "Page cannot be displayed" message in IE,
>> not even a squid error. When they access a blocked site (login.live.com),
>> same thing. A coworker previously setup 2.6STABLE on FreeBSD 7 and he had
>> the same problem. I have a few accounts with domain admin privlidges, but
>> they all have the same problem. Config is below.
>>
>> I have tried commenting out the ACL "http_access deny
>> ad_group_domain_users", which points to a file that just says Domain Users,
>> but that makes no difference. When I do domain\administrator
>> domain\internet with wbinfo_group.pl OK is returned....same with my username
>> (non domain admin). There are no errors in the access.log or cache.log. I
>> HAVE changed the wbinfo_group.pl as the default one wasn't working...but if

So, "megs28", how and why did you change it?
  It's more likely that the authentication was failing on your specific
setup than that the authentication helper in common use for most of a
decade was broken.

If your group names are in fact "domain/internet" and "domain/Domain
Users" as your manual test implies then the group names specified in
squid.conf for the bundled helper need to be "domain/internet" and
"domain/Domain Users"

There are also permission issues with winbind that you need to look at.
A manual test needs to be run on the helper with the same exact user
account as squid uses for low-privilege operations. If that fails,
there is your problem.
  The squid effective user must be a member of both the group having
winbind access (read AND write) privileges. Also a member of the group
having proxy cache and operational privileges.
  That means that cache_effective_group cannot be used in your squid.conf.

>> it's returning OK when I run a check I don't understand the issue. If
>> there's a better way to accomplish this let me know...would like for
>> Kerber <snip>
>
> I think the biggest issue you have is actually highlighted in your config..
> You have
>
>> #########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING MATCHES AND
>> NOT CONTINUE###########
>
> And that is the important part of all this.
>
> Just observations but here is my outlook on your config.
>
> ====
> http_access allow AD_group_internet
> Would appear that you are trying to check for a user (external helper called
> with %LOGIN) without checking the external authenticator "ntlm" anywhere
> along the check (I have never used ntlm so this could be wrong).
>

The use of %LOGIN makes external ACL challenge for credentials before
passing/failing. No problem there unless the release is broken or its
used in a fast-access test.

> ====
> http_access allow AD_group_internet
> Is before your safe_port check which means safe_ports are never used, access
> can be achieved to every port out there, including mail servers etc.
>
> ====
> http_access deny ad_group_domain_users
> Denies users using %LOGIN which isn't checked first (see my statement above
> about ntlm... Never used it)
>
> ====
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> http_access allow localnet
> Would allow every user on your network (guessing this subnet is your
> network) to access the proxy. If a user isn't in your AD server (or your
> helper returns the wrong result) and isn't a member of one of your ntdom
> groups, they have access to the proxy and can browse without restriction.
>

Exactly. also not that at this point the admins group and any other
groups including anonymous and guest have been allowed or denied.

I'd expect anyone on the LAN to be able to enter some valid credentials
and get allowed by this rule.

> ===
> acl AD_group_internet external ntdom internet
> AND
> acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users"
> seem to call your external helper quite differently, I don't know what your
> helper does so I assume either will work.

Should do. It's an old workaround to squid.conf not dealing well with
spaces inside entries.

>
> ===
> I have included a basic ACL config that should match onto what your trying
> to achieve (From what I can see in your config). It's by no means complete
> but might clear up some of your issues. I doesn't include your external
> helper definitions or basic config entries like auth helpers, safe ports
> etc.
>
> Just a heads up. I am taking some wild guesses about what your actual setup
> is meant to be doing but the below seems fairly logical.
>
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> # Deny bad ports
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # Deny site in the blocked_websites list
> acl blocked_websites url_regex "/etc/squid/blocked_websites"
> http_access deny blocked_websites

dstdomain, dstdomain :) your CPU will love it.

>
> # Allow authenticated users in the INTERNET group on our network access
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl AD_group_internet external ntdom internet # Internet group members
> http_access allow localnet ntlm AD_group_internet
>
> # ?? anybody not in "INTERNET" group would be denied after this.
> #acl AD_group_domain_users external ntdom "/etc/squid/ad_group_domain_users"
> #http_access deny ntlm AD_group_domain_users
>
> http_access deny all
>
> Hopefully this wild bit of guessing will clear up some of the issues you are
> seeing and give some feedback into what is actually going wrong. Of course,
> if I am reading into what you are doing wrongly, then I am more than happy
> to stand corrected on the sideline. :)

Pretty much exactly what I'd recommend for their config too.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Fri Jul 30 2010 - 07:38:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:04 MDT