RE: [squid-users] Domain Admins can't access

From: Megan Grubb <MGrubb_at_evertz.com>
Date: Wed, 4 Aug 2010 10:23:23 -0400

Have to take that back...I retyped it and it's OK now, so something must
have been malformed in my script.

Getting a bit further...domain admins get a Squid access denied when
trying to access blocked sites :) However, they can't access pages they
should be able to, ie. Google. Still the same "Cannot display page"
error, and it's not from Squid.

Also, I'm currently using MS Proxy 2.0 (eek, I know) with AD
authentication, and block based on IP address (ewe). When I use this it
will prompt for credentials for users not in my domain...any possible
way to do this with Squid?

-----Original Message-----
From: Megan Grubb
Sent: Wednesday, August 04, 2010 9:33 AM
To: 'Scott Horsley'; squid-users_at_squid-cache.org
Subject: RE: [squid-users] Domain Admins can't access

Hi Scott

Thanks for the response :) I tried what you suggested, but with that in
my squid.conf file I cannot get the service to start. Nothing shows up
in /var/log/messages, or cache.log. Any ideas?

You are correct with what I'm trying to do. Only people who belong to
the "internet" security group in AD should be permitted access to the
internet, with the exception of the blacklisted URLs for regular
expression matching. By default, everyone else should be denied access.
Down the road I will likely start doing whitelists for specific
departments so they can only access the sites they require.

Megan

-----Original Message-----
From: Scott Horsley [mailto:scott.horsley_at_staff.netspace.net.au]
Sent: Thursday, July 29, 2010 8:59 PM
To: Megan Grubb; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Domain Admins can't access

On 30/07/10 2:25 AM, "megs28" <mgrubb_at_evertz.com> wrote:

>
> Hello
>
> This is my first post. I've just setup Squid 2.7 STABLE on Ubuntu
server
> 10.4 with NTLM authentication and Winbind. At present, any one who is
a
> member of the domain admins group are not able to access the proxy
> server...they just get a normal "Page cannot be displayed" message in
IE,
> not even a squid error. When they access a blocked site
(login.live.com),
> same thing. A coworker previously setup 2.6STABLE on FreeBSD 7 and he
had
> the same problem. I have a few accounts with domain admin privlidges,
but
> they all have the same problem. Config is below.
>
> I have tried commenting out the ACL "http_access deny
> ad_group_domain_users", which points to a file that just says Domain
Users,
> but that makes no difference. When I do domain\administrator
> domain\internet with wbinfo_group.pl OK is returned....same with my
username
> (non domain admin). There are no errors in the access.log or
cache.log. I
> HAVE changed the wbinfo_group.pl as the default one wasn't
working...but if
> it's returning OK when I run a check I don't understand the issue. If
> there's a better way to accomplish this let me know...would like for
> Kerber <snip>

I think the biggest issue you have is actually highlighted in your
config..
You have

> #########BE VERY CAREFUL OF RULE ORDER, WILL STOP WHEN SOMETHING
MATCHES AND
> NOT CONTINUE###########

And that is the important part of all this.

Just observations but here is my outlook on your config.

====
http_access allow AD_group_internet
Would appear that you are trying to check for a user (external helper
called
with %LOGIN) without checking the external authenticator "ntlm" anywhere
along the check (I have never used ntlm so this could be wrong).

====
http_access allow AD_group_internet
Is before your safe_port check which means safe_ports are never used,
access
can be achieved to every port out there, including mail servers etc.

====
http_access deny ad_group_domain_users
Denies users using %LOGIN which isn't checked first (see my statement
above
about ntlm... Never used it)

====
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
http_access allow localnet
Would allow every user on your network (guessing this subnet is your
network) to access the proxy. If a user isn't in your AD server (or your
helper returns the wrong result) and isn't a member of one of your ntdom
groups, they have access to the proxy and can browse without
restriction.

===
acl AD_group_internet external ntdom internet
AND
acl AD_group_domain_users external ntdom
"/etc/squid/ad_group_domain_users"
seem to call your external helper quite differently, I don't know what
your
helper does so I assume either will work.

===
I have included a basic ACL config that should match onto what your
trying
to achieve (From what I can see in your config). It's by no means
complete
but might clear up some of your issues. I doesn't include your external
helper definitions or basic config entries like auth helpers, safe ports
etc.

Just a heads up. I am taking some wild guesses about what your actual
setup
is meant to be doing but the below seems fairly logical.

acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

# Deny bad ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Deny site in the blocked_websites list
acl blocked_websites url_regex "/etc/squid/blocked_websites"
http_access deny blocked_websites

# Allow authenticated users in the INTERNET group on our network access
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl AD_group_internet external ntdom internet # Internet group members
http_access allow localnet ntlm AD_group_internet

# ?? anybody not in "INTERNET" group would be denied after this.
#acl AD_group_domain_users external ntdom
"/etc/squid/ad_group_domain_users"
#http_access deny ntlm AD_group_domain_users

http_access deny all

Hopefully this wild bit of guessing will clear up some of the issues you
are
seeing and give some feedback into what is actually going wrong. Of
course,
if I am reading into what you are doing wrongly, then I am more than
happy
to stand corrected on the sideline. :)

Scott

This email and any files transmitted with it are confidential and
intended
 solely for the use of the individual or entity to whom they are
addressed.
Please notify the sender immediately by email if you have received this
email by mistake and delete this email from your system. Please note
that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation.
Finally, the recipient should check this email and any attachments for
the presence of viruses. The organisation accepts no liability for any
damage caused by any virus transmitted by this email.
Received on Wed Aug 04 2010 - 14:23:34 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 04 2010 - 12:00:02 MDT