Hello
This is my first post. I've just setup Squid 2.7 STABLE on Ubuntu server
10.4 with NTLM authentication and Winbind. At present, any one who is a
member of the domain admins group are not able to access the proxy
server...they just get a normal "Page cannot be displayed" message in IE,
not even a squid error. When they access a blocked site (login.live.com),
same thing. A coworker previously setup 2.6STABLE on FreeBSD 7 and he had
the same problem. I have a few accounts with domain admin privlidges, but
they all have the same problem. Config is below.
I have tried commenting out the ACL "http_access deny
ad_group_domain_users", which points to a file that just says Domain Users,
but that makes no difference. When I do domain\administrator
domain\internet with wbinfo_group.pl OK is returned....same with my username
(non domain admin). There are no errors in the access.log or cache.log. I
HAVE changed the wbinfo_group.pl as the default one wasn't working...but if
it's returning OK when I run a check I don't understand the issue. If
there's a better way to accomplish this let me know...would like for
Kerberos authentication instead of NTLM to make life easier for my Linux and
MAC users :)
==================
#Setup authentication as NTLM, allowing 20 processes for authentication.
Increase if authentication is slow.
auth_param ntlm program /usr/lib/squid/ntlm_auth -f domain.com/dc1
auth_param ntlm program /usr/lib/squid/ntlm_auth -f domain.com/dc2
auth_param ntlm children 20
# ACLs to allow Server to access itself
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# Force All ACLs to require NTLM authentication
acl ntlm proxy_auth REQUIRED
# ACLs for permitted ports for proxying
acl SSL_ports port 443
acl SSL_ports port 8383 # VMWare Server
acl SSL_ports port 8444 # Identity Guard
acl SSL_ports port 4444 # OWA
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 4444 # OWA https
acl Safe_ports port 8444 # Identity Guard https
acl Safe_prots port 8383 # VMWare Server https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Script for WinBid group checking. Must have
external_acl_type ntdom ttl=0 children=20 %LOGIN
/usr/lib/squid/wbinfo_group.pl
#########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING MATCHES AND
NOT CONTINUE###########
# Denies access to blocked websites, ie. Hotmail.
acl blocked_websites url_regex "/etc/squid/blocked_websites"
http_access deny blocked_websites
# Allows users in "INTERNET" AD group to access internet through proxy
acl AD_group_internet external ntdom internet
http_access allow AD_group_internet
# Denies users in "DOMAIN USERS" AD group from using proxy. Must be a
member of "INTERNET" group to get online
acl AD_group_domain_users external ntdom
"/etc/squid/ad_group_domain_users"
http_access deny ad_group_domain_users
# Tell acl method to be CONNECT
acl CONNECT method CONNECT
# Allow requests to ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Allow server to access itself
http_access allow manager localhost
http_access deny manager
# Permitted networks for Proxy
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
http_access allow localnet
# Deny all other access
http_access deny all
#########END RULE ORDER CAREFULNESS###########
# Allow access to Internet Cache Proxy from localnet
icp_access allow localnet
icp_access deny all
-- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Domain-Admins-can-t-access-tp2306738p2306738.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Thu Jul 29 2010 - 16:25:09 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 12:00:04 MDT