[squid-users] Squid 2.6.9 ntlm_auth AD Group checking no longer works.

From: David Whitehead <dwhitehead@dont-contact.us>
Date: Fri, 23 Feb 2007 13:24:47 -0800

Sort of new to mailing lists but here goes...

Been using Squid for two year to regulate corporate web access based on
Active Directory group membership.
Up until Monday (after a portupgrade on FreeBSD 6.1) it's been working
PERFECTLY. Samba and windbindd have been working flawlessly. The current
squid.conf is as follows (Any clues as to what's wrong would be MOST
helpful as I've been pulling my hair out over this for five days now):

# MONITOR Squid

hierarchy_stoplist cgi-bin ?

http_port 3128

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_dir ufs /usr/local/etc/squid/cache 10000 10 10

cache_access_log /usr/local/etc/squid/log/access.log

cache_store_log /usr/local/etc/squid/log/store.log

pid_filename /usr/local/etc/squid/log/squid.pid

debug_options ALL,1

redirect_children 5

auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
# auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
# auth_param ntlm max_challenge_reuses 0
# auth_param ntlm max_challenge_lifetime 2 minute
# external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
/usr/local/libexec/squid/wbinfo_group.pl

# TEST
external_acl_type nt_group ttl=0 children=20 %LOGIN
/usr/local/libexec/squid/wbinfo_group.pl

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl regularusers external nt_group Browser-Users
acl allowedurls dstdomain
"/usr/local/etc/squid/restrictedusers_allowedurls"
acl restrictedusers external nt_group Restricted-Browser-Use
acl ALWIZARD dst 65.163.6.109-65.163.6.109/255.255.255.255
65.163.6.110-65.163.6.110/255.255.255.255
acl blockurls dstdomain "/usr/local/etc/squid/blockurls"

http_access allow manager localhost
http_access deny manager
http_access allow regularusers
http_access deny !SSL_ports !Safe_ports !CONNECT !ALWIZARD
http_access deny all

http_reply_access allow all

icp_access allow manager localhost AuthorizedUsers regularusers
restrictedusers

cache_effective_user squid

cache_effective_group squid

coredump_dir /usr/local/etc/squid/cache

# redirect_program /usr/local/libexec/squid_redirect
Received on Fri Feb 23 2007 - 14:24:56 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST