Need a Dansguardian / Squid configuration expert

[joe90bass]

It means it's blocking the default group 1 as expected, but I'm in group 5 which has (or should have!) unrestricted access

[siuko]

It must be reading your username correctly though to be able to say its going to ban you...

Are your filter groups reading everything right?

You can change the dansguardian access denied page to show which username is being banned - if that helps...

[joe90bass]

I understood it was banning me as it's using group 1 as the 'deny all' as it hasn't picked my userID up in the group it should be in. I know very little about Squid/DG but when hitting DG first and looking at the Squid logs I would expect to see DG passing my IP and userID to squid, but it's not I only see 127.0.0.1. If this is correct then I'm wasting my time on the toubleshooting I'm trying. I've done all the tests (winbind, ntlm_auth command line, etc) I can find to verify that squid is picking up the user IDs from AD correctly (and it is, or seems to be)

I'll take a look at editing the denied page to see what that throws up- cheers!

[joe90bass]

I've amended the block page to show the group that's being blocked and it is group1 no_web_access, howEver, as above I'm in group 5!

[siuko]

Can you also get it to show username so that you can find out exactly who it thinks you are?

[joe90bass]

Can you also get it to show username so that you can find out exactly who it thinks you are?

The -USER- option is set in the template, but only "-" shows on the block page. It shows the PC that the request came from and the group though. It's as if it's not authenticating, but I can't work out why! There's some talk of kerberos issues between Squid 3 and DG, just trying to find out which exact version of Squid I'm running. Webmin shows 3.0

edit: running Squid 3.0 stable 19

[siuko]

Yeah its definitely not picking up your username in DG so it dumps you in the default group.

In your squid logs is it showing the username at all? (I think you mentioned earlier that it was)

[joe90bass]

It does show the name if I use 3128 in the proxy address (i.e squid direct) if I got to 8080 (DG) then no it just shows 127.0.0.1 in the log no user name

[siuko]

My Dansguardian access log shows this :

2010.8.10 12:13:06 (username here) 10.25.74.1 Google GET 221 0 1 302 - normalgroup -

The username here was my username - I checked my squid logs and they dont seem to contain any usernames?

[joe90bass]

Okay, so I'm barking up the wrong tree with that as an issue, or at least symptom of it

Just so frustrating as I'm so close to getting it working.......

[siuko]

Can you disable username/password pass thru on IE so that it has to request your username and password to browse sites?

If you do this so you can check that it is requesting the details correctly and that it is also reading the username and password correctly from your DC.