[squid-users] external helper authorisation to a NT trusted domain

using SAMBA 3.0.9 and SQUID 2.5.STABLE7

I have a authorisation problem using external helper wbinfo_group.pl. We
have 2 trusted domains DOM_A and DOM_B (NT4 Domains). Authorisation to DOM_A
(squid server is member of DOM_A) works fine, but users belonging to DOM_B
couldn't be authorized. This happens, cause squid never sends a fully
qualified group name and it seems that wbinfo_group.pl needs the fully
qualified name, otherwise it doesn't recognize domain groups in the trusted
domain. For example: 'userB' belonging to group 'grpB' in domain 'DOM_B'
tries to open a page. Now wbinfo_group gets 'DOM_B+userB grpB' and is
sending 'ERR' to quid (could not lookup name). If the parameter would be
'DOM_B+userB DOM_B+grpB', everything would be fine (at least regarding my
tests using wbinfo_group.pl directly from shell).
Anybody an idea how to fix this problem? Maybe this is a just a
configuration issue? Here are the relevant config lines:

smb.conf ->

[global]
        workgroup = dom_a
        security = domain
        password server = 192.168.1.2
        wins support = yes
        max log size = 10000
        local master = no
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        [..]

squid.conf ->

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 3
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 2 minute
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic realm Squid proxy-caching web server
auth_param basic children 3
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 minute

external_acl_type NT_global_group children=10 ttl=900 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

coredump_dir /usr/local/squid/var/cache

[..]
acl squid_user external NT_global_group squid_user
acl _grp_allowed_sites dstdomain "/etc/squid/sites_auskunft"

# squid_auskunftD1 is global group in DOM_A
acl _auskunftD1_user external NT_global_group squid_auskunftD1
# squid_auskunftD2 is global group in DOM_B
acl _auskunftD2_user external NT_global_group squid_auskunftD2

[..]
http_access allow _grp_allowed_sites _auskunftD1_user
http_access allow _grp_allowed_sites _auskunftD2_user
[..]

http_reply_access allow all
icp_access allow all
http_access deny all

Regards,
Andreas Grund
Received on Thu Dec 02 2004 - 03:36:09 MST