[squid-users] Problems with Group detection with ADS

From: Puschmann, Sven <Sven.Puschmann_at_haevg-rz.de>
Date: Wed, 21 May 2014 08:00:35 +0000

Hi Folks,

i've installed an new SQUID Server for our Holding Company (same ActiveDirectory Forest, but another Domain) and I have an little Problem with it.

Here's the Auth and ACL External Config from both Servers (running and newly installed)

Running Config (Part):
===================================================================================
### Kerberos
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME>
auth_param ntlm children 10
auth_param ntlm keep_alive off

### BASIC
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS Name>
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

################################
### Access Regeldefinitionen ###
################################
acl auth proxy_auth REQUIRED

external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail
external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,spyware,violence,virusinfected,warez,webmail

acl Full external testForNTGroup RZ-PXY-Full
acl Standard external testForNTGroup RZ-PXY-Standard
acl Blocked external testForNTGroup RZ-PXY-Blocked
acl StandardSocial external testForNTGroup RZ-PXY-SocialMedia
acl StandardVideo external testForNTGroup RZ-PXY-Videoportale
acl StandardAdvanced external testForNTGroup RZ-PXY-StandardAdvanced
===================================================================================

Problem Config (same part):
===================================================================================
### Kerberos
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME>
auth_param ntlm children 10
auth_param ntlm keep_alive off

### BASIC
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS NAME>
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

################################
### Access Regeldefinitionen ###
################################
acl auth proxy_auth REQUIRED

external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,blog,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,social_networks,spyware,violence,virusinfected,warez,webmail
external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail

acl Full external testForNTGroup pxy-full
acl Standard external testForNTGroup pxy-standard
acl Blocked external testForNTGroup pxy-blocked
acl StandardSocial external testForNTGroup pxy-socialmedia
acl StandardVideo external testForNTGroup pxy-videoportale
acl StandardAdvanced external testForNTGroup pxy-standardadvanced
===================================================================================

The Problem is:
If the User Connects via the Hostname to the Proxy Server he lands in de Last "Deny All" ACL because the Proxy Server cannot determine the Users Group Correctly. But if I set the Proxy via the direct IP Address everything is okay.
On the running SQUID (first config sniplet) there is no such Problem.

Here are some Debug Outputs (same output in the running SQUID):
=================================================
wbinfo -t
checking the trust secret for domain <DOMAIN-NAME> via RPC calls succeeded

echo "<DOMAIN-NAME>\user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl
OK

echo "user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl
OK
=================================================

Has anybody an Idea what might be the Problem? I'm really confused about the Situation that it's okay via IP-Address and not okay via DNS Name. The DNS Resolution is in function (fromm any Client)

Greetings from Cologne
Sven Puschmann
Received on Wed May 21 2014 - 08:00:57 MDT

This archive was generated by hypermail 2.2.0 : Wed May 21 2014 - 12:00:05 MDT