auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Authenticated proxy_auth REQUIRED acl bwt_network src 192.168.0.0/24
external_acl_type NT_global_group %LOGIN c:/squid/libexec/win32_check_group.exe -G -d -c
acl GProxyUsers external NT_global_group Internet
http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow GProxyUsers Authenticated http_access deny all
I'm just testing NTLM authentication at the moment; basic is not implemented at this stage.
From an account logged in as the domain administrator, all is well - as taken from these entries in cache.log:
/win32_check_group.exe[2804]: Got '**domain**\\administrator Internet' from Squid (length: 31).
/win32_check_group.exe[2804]: Valid_Global_Groups: checking group membership of '**domain*\administrator'.
/win32_check_group.exe[2804]: Using '\\**domain controller**' as DC for '**domain**' local domain.
/win32_check_group.exe[2804]: Using '\\**domain controller**' as DC for '**domain**' user's domain.
/win32_check_group.exe[2804]: Windows group: Domain Admins, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: Exchange Domain Servers, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: Schema Admins, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: Citrix Access XP, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: Internet Access, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: MSWord, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: MSPowerpoint, Squid group: Internet
/win32_check_group.exe[2804]: Windows group: Internet, Squid group: Internet
However, when going in as myself the following happens:
/win32_check_group.exe[2804]: Got '**domain**\\eholton Internet' from Squid (length: 25).
/win32_check_group.exe[2804]: Valid_Global_Groups: checking group membership of '**domain**\eholton'.
/win32_check_group.exe[2804]: Using '**domain controller**' as DC for '**domain**' local domain.
/win32_check_group.exe[2804]: Using '**domain controller' as DC for '**domain**' user's domain.
/win32_check_group.exe NetUserGetGroups() failed.'
When I use win32_check_group.exe from the command line, used as directed in the documentation and with the same arguments as in the squid.conf extract above, I get the following as output:
**domain**\\eholton Internet
win32_check_group.exe[4052]: Got '**domain**\\eholton Internet' from Squid (length: 25).
win32_check_group.exe[4052]: Valid_Global_Groups: checking group membership of '**domain**\eholton'.
win32_check_group.exe[4052]: Using '**domain controller**' as DC for '**domain**' local domain.
win32_check_group.exe[4052]: Using '**domain controller**' as DC for '**domain**' user's domain.
win32_check_group.exe[4052]: Windows group: Data Warehouse Administrator, Squid group: Internet
win32_check_group.exe[4052]: Windows group: MSoutlookxp, Squid group: Internet
win32_check_group.exe[4052]: Windows group: Data Warehouse User, Squid group: Internet
win32_check_group.exe[4052]: Windows group: Citrix Access XP, Squid group: Internet
win32_check_group.exe[4052]: Windows group: IT Support, Squid group: Internet
win32_check_group.exe[4052]: Windows group: MSWord, Squid group: Internet
win32_check_group.exe[4052]: Windows group: MSPowerpoint, Squid group: Internet
win32_check_group.exe[4052]: Windows group: Internet, Squid group: Internet
OK
Where **domain** and **domain controller** refer to the actual values for the site.
Is there something I'm missing? I find it puzzling that the helper is failing given theoretically the same input as provided to it on a command line.
Thanks in advance for any help! -- Euan mailto: [EMAIL PROTECTED]
'Why?'
