No answers to my problem below til now. Because of another test I guess wbinfo_group is not called by squid:
I created the shell script wbinfogroup.sh: #!/bin/sh SQ_DIR=/usr/local/squid $SQ_DIR/bin/wbinfo_group.pl 2>/tmp/wb.out stderr is redirected to file /tmp/wb.out. When I logon as user squid and run this shell all works fine. The file /tmp/wb.out contains the expected lines. squid.conf: external_acl_type NT_global_group ttl=900 %LOGIN /usr/local/squid/bin/wbinfo_group.sh When I try to acces internet with IE the request "hangs". Nothing is written in /tmp/wb.out. Therefore I guess that the combination of squid and wb_auth does not work proberly. OS: TRU64 5.1A PK3 Any ideas? W.Rost ---------------------------------------------------------------------------- ----------------------------- Squid 2.5 S1 works with IE 6 (without SP1). Now I want to authenticate users against a NT4 usergroup without asking for username and password using NTLM. I installed samba 2.2.5. "wbinfo -t" gives "secret is good". squid.conf: auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/squid/libexec/wb_auth auth_param basic children 5 auth_param basic realm SQUID-Proxy ZF Boge Bonn auth_param basic credentialsttl 2 hours authenticate_ip_ttl 90 seconds external_acl_type NT_global_group ttl=900 %LOGIN /usr/local/squid/bin/wbinfo_group.pl acl auth_iboge external NT_global_group INTERNET_USERS http_access allow !intranet_boge auth_iboge PROBLEM: Access to internet "hangs" for some time and is denied without any error message. Sometimes it does not end and must be cancelled. cache.log gives: 2003/01/23 17:30:08| ipcache_gethostbyname: 'www.google.de', flags=1 2003/01/23 17:30:08| aclMatchIp: '216.239.39.101' NOT found 2003/01/23 17:30:08| aclMatchAclList: checking auth_iboge 2003/01/23 17:30:08| aclMatchAcl: checking 'acl auth_iboge external NT_global_group INTERNET_USERS' 2003/01/23 17:30:08| aclMatchExternal: acl="NT_global_group" 2003/01/23 17:30:08| authenticateValidateUser: Validating Auth_user request '0'. 2003/01/23 17:30:08| authenticateValidateUser: Auth_user_request was NULL! 2003/01/23 17:30:08| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2003/01/23 17:30:08| aclMatchAcl: returning 0 sending authentication challenge. 2003/01/23 17:30:08| aclMatchExternal: NT_global_group user not authenticated (0) 2003/01/23 17:30:08| aclMatchAclList: returning 0 2003/01/23 17:30:08| aclCheck: requiring Proxy Auth header. 2003/01/23 17:30:08| cbdataUnlock: 140181a58 2003/01/23 17:30:08| aclCheck: match found, returning 2 2003/01/23 17:30:08| aclCheckCallback: answer=2 2003/01/23 17:30:08| cbdataValid: 1406bac18 2003/01/23 17:30:08| The request GET http://www.google.de/ is DENIED, because it matched 'auth_iboge' 2003/01/23 17:30:08| Access Denied: http://www.google.de/ 2003/01/23 17:30:08| AclMatchedName = auth_iboge 2003/01/23 17:30:08| Proxy Auth Message = <null> Manual testing with wbinfo_group.pl works as expected: ./wbinfo_group.pl rost INTERNET_USERS Got rost INTERNET_USERS from squid User: -rost- Group: -INTERNET_USERS- SID: -S-1-5-21-1691762760-2083531834-928725530-2427 2- GID: -10001- Sending OK to squid OK # ../sbin/squid -v Squid Cache: Version 2.5.STABLE1 configure options: --enable-auth=ntlm,basic --enable-external-acl-helpers=winbi nd_group --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind # # cat wbinfo_group.pl #!/usr/bin/perl -w # # external_acl helper to Squid to verify NT Domain group # membership using wbinfo # # This program is put in the public domain by Jerry Murdock # <[EMAIL PROTECTED]>. It is distributed in the hope that it will # be useful, but WITHOUT ANY WARRANTY; without even the implied warranty # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Author: # Jerry Murdock <[EMAIL PROTECTED]> # # Version history: # 2002-07-05 Jerry Murdock <[EMAIL PROTECTED]> # Initial release # # external_acl uses shell style lines in it's protocol require 'shellwords.pl'; # Disable output buffering $|=1; sub debug { # Uncomment this to enable debugging print STDERR "@_\n"; } # # Check if a user belongs to a group # sub check { local($user, $group) = @_; $groupSID = `wbinfo -n "$group"`; chop $groupSID; $groupGID = `wbinfo -Y $groupSID`; chop $groupGID; &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-"); return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); return 'ERR'; } # # Main loop # while (<STDIN>) { chop; &debug ("Got $_ from squid"); ($user, $group) = &shellwords; $ans = &check($user, $group); &debug ("Sending $ans to squid"); print "$ans\n"; } Any ideas? > Mit freundlichen Gr��en / regards > Werner Rost > > --------------------------------------------------------------------- > ZF Boge GmbH > Werner Rost > IT > Friesdorfer Str. 175 > D-53175 Bonn > > > phone: +49/228/3825 420 > fax: +49/228/3825 398 > [EMAIL PROTECTED] > > www.boge-vibrationcontrol.com/ > --------------------------------------------------------------------- > >
