[squid-users] R: [squid-users] External users from Child AD domain unable to use local Squid proxy from Guido Serassio on 2010-04-18 (squid-users)

From: Guido Serassio <guido.serassio_at_acmeconsulting.it>
Date: Sun, 18 Apr 2010 12:26:05 +0200

Hi,

When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain.

Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full AD group helper supporting full forest wide group recursion.
Take a look to the included docs for details.

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Gold Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio_at_acmeconsulting.it
WWW: http://www.acmeconsulting.it

> -----Messaggio originale-----
> Da: Milan [mailto:compguy030471_at_gmail.com]
> Inviato: giovedì 15 aprile 2010 17.17
> A: squid-users_at_squid-cache.org
> Oggetto: [squid-users] External users from Child AD domain unable to use
> local Squid proxy
>
> We are using Squid on windpow as a proxy and we are having an issue
> when users that come from a child domain to our office do not
> authenticate properly.
>
> Example: our domain is na.myworld.com and users from eu.myworld.com
> come to our office and do not authenticate correctly
> The log of the connection is below.
>
> 1271280071.727     47 172.23.5.54 TCP_DENIED/407 1766 GET
> http://www.yahoo.com/ - NONE/- text/html
> 1271280071.774     31 172.23.5.54 TCP_DENIED/407 2082 GET
> http://www.yahoo.com/ - NONE/- text/html
> 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET
> http://www.yahoo.com/ eu\vbonafe NONE/- text/html
> 1271280104.258     47 172.23.5.54 TCP_DENIED/407 1763 GET
> http://www.yahoo.es/ - NONE/- text/html
> 1271280104.289     31 172.23.5.54 TCP_DENIED/407 2079 GET
> http://www.yahoo.es/ - NONE/- text/html
> 1271280104.524    235 172.23.5.54 TCP_DENIED/403 1447 GET
> http://www.yahoo.es/ eu\vbonafe NONE/- text/html
> 1271280110.274    391 172.23.5.54 TCP_MISS/200 5128 GET
> http://www.google.com/ -
> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
> 1271280110.524     63 172.23.5.54 TCP_MISS/204 494 GET
> http://clients1.google.com/generate_204 -
> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
> 1271280110.649    157 172.23.5.54 TCP_MISS/204 434 GET
> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html
>
> We have the below acl for users in the Ad global group
>
>
> external_acl_type AD_global_group ttl=120 %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G
>
> and another acl below that allows full access thru the squid proxy
> using an ad group
>
> acl InetAllow external AD_global_group CLW.Squid.Full
>
>
> any ideas????
Received on Sun Apr 18 2010 - 10:26:11 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 20 2010 - 12:00:04 MDT