<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Em 15/06/2016 10:50, <a class="moz-txt-link-abbreviated" href="mailto:nilesh.gavali@tcs.com">nilesh.gavali@tcs.com</a> escreveu:<br>
<blockquote
cite="mid:OF29EE7DFD.2BD1A317-ON80257FD3.004390E8-80257FD3.004C0BDD@tcs.com"
type="cite"><font face="sans-serif" size="2">Hi Team;</font>
<br>
<font face="sans-serif" size="2">I have setup as below-</font>
<ul>
<li><font face="sans-serif" size="2">Squid Kerberos
authentication with windows
AD 2012r2. - works fine.</font>
</li>
<li><font face="sans-serif" size="2">Now need to restrict access
based on
AD Group membership.</font></li>
</ul>
<br>
<font face="sans-serif" size="2">Below configuration done but no
luck.
when try to access with user who is not part of the group
mention, still
he is able to browse Internet.</font>
<br>
</blockquote>
<br>
The following works fine for me and in my opinion works better than
LDAP. The authentication is integrated, so it doesn't keep asking
for password (when the current user is a domain account). But you
have to add the Squid server to the domain using 'smb.conf',
'krb5.conf' and then 'net ads join'. The service 'winbind' must be
running too.<br>
I'm using Squid 3.5.19.<br>
<br>
<br>
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
--enable-external-acl-helpers="ext_wbinfo_group_acl"<br>
auth_param ntlm children 10 startup=0 idle=2<br>
<br>
external_acl_type NTGroup children-startup=10 children-idle=2
children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl<br>
<br>
acl authenticated proxy_auth REQUIRED<br>
<br>
acl ad_group external NTGroup MYDOMAIN\AD_Group<br>
acl denied_websites dstdom_regex -i
"/etc/squid/denied-websites.txt"<br>
http_access deny ad_group denied_websites<br>
<br>
<br>
So all the members of MYDOMAIN\AD_Group won't have access to
whatever the file contains.<br>
<br>
Bruno<br>
</body>
</html>