using SAMBA 3.0.9 and SQUID 2.5.STABLE7 I have a authorisation problem using external helper wbinfo_group.pl. We have 2 trusted domains DOM_A and DOM_B (NT4 Domains). Authorisation to DOM_A (squid server is member of DOM_A) works fine, but users belonging to DOM_B couldn't be authorized. This happens, cause squid never sends a fully qualified group name and it seems that wbinfo_group.pl needs the fully qualified name, otherwise it doesn't recognize domain groups in the trusted domain. For example: 'userB' belonging to group 'grpB' in domain 'DOM_B' tries to open a page. Now wbinfo_group gets 'DOM_B+userB grpB' and is sending 'ERR' to quid (could not lookup name). If the parameter would be 'DOM_B+userB DOM_B+grpB', everything would be fine (at least regarding my tests using wbinfo_group.pl directly from shell). Anybody an idea how to fix this problem? Maybe this is a just a configuration issue? Here are the relevant config lines:
smb.conf -> [global] workgroup = dom_a security = domain password server = 192.168.1.2 wins support = yes max log size = 10000 local master = no winbind enum users = yes winbind enum groups = yes winbind use default domain = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = + [..] squid.conf -> hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 3 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 2 minute auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic realm Squid proxy-caching web server auth_param basic children 3 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 minute external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 coredump_dir /usr/local/squid/var/cache [..] acl squid_user external NT_global_group squid_user acl _grp_allowed_sites dstdomain "/etc/squid/sites_auskunft" # squid_auskunftD1 is global group in DOM_A acl _auskunftD1_user external NT_global_group squid_auskunftD1 # squid_auskunftD2 is global group in DOM_B acl _auskunftD2_user external NT_global_group squid_auskunftD2 [..] http_access allow _grp_allowed_sites _auskunftD1_user http_access allow _grp_allowed_sites _auskunftD2_user [..] http_reply_access allow all icp_access allow all http_access deny all Regards, Andreas Grund