Re: [squid-users] External users from Child AD domain unable to use local Squid proxy

From: Milan <compguy030471_at_gmail.com>
Date: Mon, 19 Apr 2010 15:33:09 -0400

Below is our Squid.conf. We still cannot get external ad users to work
on our proxy.

cache_peer proxy2.us.xxxxxxxxxx.com parent 3128 0000 default no-query no-digest

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 40
auth_param ntlm keep_alive on

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type AD_global_group ttl=120 %LOGIN
c:/squid/libexec/mswin_check_ad_group.exe -G

ftp_user squid_at_xxxxxxxx.com

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt"

acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt"
acl bypass_auth-external dstdomain "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt"

acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt"
acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt"

acl Java browser Java/[0-9]

acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt"

# Domains accessible to all PC's
acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt"

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT
acl ftp proto FTP

acl authproxy proxy_auth REQUIRED
acl our_networks src 172.xx.xx.xx/12
acl HEAD method HEAD

acl InetAllow external AD_global_group CLW.Squid.Full

http_access allow manager localhost
http_access allow HEAD
http_access allow ftp
http_access allow WindowsUpdate
http_access allow bypass_auth
http_access allow bypass_auth-external
http_access allow Approved_Domains
http_access allow Java
http_access allow Approved_IP
http_access allow InetAllow
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !our_networks

On Sun, Apr 18, 2010 at 06:26, Guido Serassio
<guido.serassio_at_acmeconsulting.it> wrote:
> Hi,
>
> When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain.
>
> Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full AD group helper supporting full forest wide group recursion.
> Take a look to the included docs for details.
>
> Regards
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Gold Certified Partner
> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135               Fax. : +39.011.9781115
> Email: guido.serassio_at_acmeconsulting.it
> WWW: http://www.acmeconsulting.it
>
>
>> -----Messaggio originale-----
>> Da: Milan [mailto:compguy030471_at_gmail.com]
>> Inviato: giovedě 15 aprile 2010 17.17
>> A: squid-users_at_squid-cache.org
>> Oggetto: [squid-users] External users from Child AD domain unable to use
>> local Squid proxy
>>
>> We are using Squid on windpow as a proxy and we are having an issue
>> when users that come from a child domain to our office do not
>> authenticate properly.
>>
>> Example: our domain is na.myworld.com and users from eu.myworld.com
>> come to our office and do not authenticate correctly
>> The log of the connection is below.
>>
>> 1271280071.727     47 172.23.5.54 TCP_DENIED/407 1766 GET
>> http://www.yahoo.com/ - NONE/- text/html
>> 1271280071.774     31 172.23.5.54 TCP_DENIED/407 2082 GET
>> http://www.yahoo.com/ - NONE/- text/html
>> 1271280099.086  27312 172.23.5.54 TCP_DENIED/403 1449 GET
>> http://www.yahoo.com/ eu\vbonafe NONE/- text/html
>> 1271280104.258     47 172.23.5.54 TCP_DENIED/407 1763 GET
>> http://www.yahoo.es/ - NONE/- text/html
>> 1271280104.289     31 172.23.5.54 TCP_DENIED/407 2079 GET
>> http://www.yahoo.es/ - NONE/- text/html
>> 1271280104.524    235 172.23.5.54 TCP_DENIED/403 1447 GET
>> http://www.yahoo.es/ eu\vbonafe NONE/- text/html
>> 1271280110.274    391 172.23.5.54 TCP_MISS/200 5128 GET
>> http://www.google.com/ -
>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
>> 1271280110.524     63 172.23.5.54 TCP_MISS/204 494 GET
>> http://clients1.google.com/generate_204 -
>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
>> 1271280110.649    157 172.23.5.54 TCP_MISS/204 434 GET
>> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html
>>
>> We have the below acl for users in the Ad global group
>>
>>
>> external_acl_type AD_global_group ttl=120 %LOGIN
>> c:/squid/libexec/mswin_check_ad_group.exe -G
>>
>> and another acl below that allows full access thru the squid proxy
>> using an ad group
>>
>> acl InetAllow external AD_global_group CLW.Squid.Full
>>
>>
>> any ideas????
>
Received on Mon Apr 19 2010 - 19:33:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 21 2010 - 12:00:05 MDT