Hi there!
I set up SquidNT on a Windows 2000 Server, works fine though. I just got a
little problem
regarding authentication of domain groups via Squid.
The scenery:
We got four domains:
STADT-NW (where the proxy is in, Windows NT4 Domain)
VHS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS)
TKS-NW (trusted domain, bidirectional, Windows 2003 Server, ADS)
WBGDOM01 (trusted domain, bidirectional, Windows 2000 Server SP3, ADS)
I check groups via the win23_check_group helper delivered with Squid using
the following
config:
external_acl_type NT_global_group %LOGIN
c:/squid/libexec/win32_check_group.exe -G
auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
acl WWW external NT_global_group WWW
acl admins external NT_global_group Domänen-Admins
acl password proxy_auth REQUIRED
http_access allow password WWW
http_access allow password admins
http_access deny password !WWW !admins
So two groups got access to the Internet: Domänen-Admins (domain admins) and
the
WWW group.
That works so far... for three of the four domains. If I try internet access
via proxy with
a user from STADT-NW, TKS-NW or VHS-NW, it works perfectly. But when trying
a
user from WBGDOM01, it won't work, Squid returns an Access Denied Page.
I tried using the helper from the command line, using domain\\user and group
as parameters,
and it works. The helper returns an OK in that case.
But when looking at the cache.log file when trying to access Squid via
browser with that user,
I see the following error message:
/win32_check_group.exe NetUserGetGroups() failed.'
Anyone can help me with that? I don't think it's a problem with the helper,
for he works in
command line mode though.
Regards,
Jens Altrock
Diplom-Ingenieur (BA)
Stadtverwaltung Neustadt an der Weinstraße
EDV und Organisation
Marktplatz 1
67433 Neustadt an der Weinstraße
Tel. +49 6321 855 330
Fax +49 6321 855 7330
mailto:jens.altrock@stadt-nw.de
http://www.neustadt-weinstrasse.de
###########################################
Diese Nachricht wurde von F-Secure Anti-Virus gescannt.
This message has been scanned by F-Secure Anti-Virus.
Received on Thu Mar 24 2005 - 03:07:34 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST