[squid-users] error: Could not get groups for user

From: Francisco Martinez Espadas <[email protected]>
Date: Wed, 28 Nov 2007 13:12:46 +0100

Hello,

since a few days ago I am having some problems with users trying to
access Internet through proxy.

I have squid (2.5 stable 14) with user validation against an Active
Directory. I have a single domain and a sub-domain. Both have an
attribute
that marks users who have access granted to Internet: "Internet Default"
or "SUBDOMAIN\Internet Default".

User acces Control is defined in "squid.conf" this way:
        
        auth_param ntlm program /usr/bin/ntlm_auth
        --helper-protocol=squid-2.5-ntlmssp
        auth_param ntlm children 30
        auth_param basic children 5
        auth_param basic realm DOMAIN
        auth_param basic credentialsttl 2 hour
        
        external_acl_type wb_group ttl=900 %
        LOGIN /usr/lib/squid/wbinfo_group.pl
        
        acl ACCES_INTERNET external wb_group "/etc/squid/grupo-AD"

This is the content of my "/etc/squid/grupo-AD" file:
        "Internet Default"
        "SUBDOMAIN\Internet Default"

The problem is that users on the main domain have access to internet,
but some users on the subdomain don't. They are getting
ERR_ACCESS_DENIED error:

This is what is logged in "cache.log":
        Could not get groups for user SUBDOMAIN\\user1
        

If I run "usr/lib/squid/wbinfo_group.pl" via command line (assuming
user2 is working and user1 is not)

with params:
        SUBDOMAIN\user1 "\" SUBDOMAIN\\internet default\""
        Sending OK to squid
        
        SUBDOMAIN\user2 "\" SUBDOMAIN\\internet default\""
        Sending OK to squid

An the same but with two backslashes:
        SUBDOMAIN\\user1 "\" SUBDOMAIN\\internet default\""
        Could not get groups for user SUBDOMAIN\\user1
        Sending ERR to squid
        
        SUBDOMAIN\\user2 "\" SUBDOMAIN\\internet default\""
        Sending OK to squid
        

This is the content of the file "usr/lib/squid/wbinfo_group.pl":

> sub check {
> local($user, $group) = @_;
> $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
> chop $groupSID;
> $groupGID = `wbinfo -Y "$groupSID"`;
> chop $groupGID;
> &debug( "User: -$user-\nGroup: -$group-\nSID:
> -$groupSID-\nGID: -$groupGID-");
> return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
> return 'ERR';
> }
>
> #
> # Main loop
> #
> while (<STDIN>) {
> chop;
> &debug ("Got $_ from squid");
> if( $_ =~ /^"?([^"]+)"? / ) {
> $user = $1;
> }
> if( $_ =~ /(( "?\\"[^"]+\\""?)+)/i ) {
> $groups = $1;
> }
> s/"\\/\\/g for $groups;
> s/""/"/g for $groups;
> s/\\ / /g for $groups;
> $groups = substr($groups, 3, length($groups)-5);
> @groups = split /\\" \\"/, $groups;
> foreach $group(@groups) {
> $ans = &check($user, $group);
> last if($ans eq 'OK');
> }
> &debug ("Sending $ans to squid");
> print "$ans\n";
> }
>
        
Any help please?

Thank you so much

OS: Ubuntu 6.06
Squid 2.5 STABLE 14
LDAP: Active Directory (Windows 2003)
Received on Wed Nov 28 2007 - 05:12:54 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST