If you fix stuff like this then please lodge a Squid Bugzilla bug entry! Adrian On Tue, Sep 11, 2007, Stefano Fraccaro wrote: > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> > <html> > <head> > <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> > </head> > <body bgcolor="#ffffff" text="#000000"> > Hi,<br> > in my installation I have resolved the same problem... the script > receive 3 parameters (0 user group) than the 2 expected (user, group) > ... I have resolved adding a trash variable and ignoring the first > parameter (always zero) <br> > <br> > ;-)<br> > <br> > Stefano <br> > <br> > <br> > <br> > Adrian Chadd ha scritto: > <blockquote cite="mid:20070911081617.GA24709@xxxxxxxxxxxxxxxxxxxxxxxxx" > type="cite"> > <pre wrap="">Its entirely possible you've just found and squished a bug! Cool! > > Just throw it into the Squid Bugzilla (linked off the squid > home page - <a class="moz-txt-link-freetext" href="http://www.squid-cache.org/">http://www.squid-cache.org/</a>) and someone will review > and commit changes if needed. > > thanks! > > > > > Adrian > > On Mon, Sep 10, 2007, Isnard Delacoste Jaquet Junior wrote: > </pre> > <blockquote type="cite"> > <pre wrap="">Hello, > > I'm using wbinfo_group.pl script and it works like a charm, but I ran > into a condition where it reveals a false positive. > > The situation is as follows: > > I have squid 2.6-15 running with samba 3.0.22 authenticating against a > AD forest which let's me authenticate users from domains other then my > own (I'm one of the branches), but it's not able to verify the user > groups. I think that's just the way it's configured. No complains. > Now... I found an interesting problem when I have people from other > domains trying to surf through squid within my domain branch. They get > authenticated (which is fine), and when the request gets to the point > where it has to verify the groups listed at the external acl and I if I > get an invalid group name to be verified (I mistyped the group's name in > squid.conf) wbinfo_group.pl runs the code bellow and returns OK instead > of ERR: > > > sub check { > local($user, $group) = @_; > $groupSID = `wbinfo -n "$group" | cut -d" " -f1`; > chop $groupSID; > $groupGID = `wbinfo -Y "$groupSID"`; > chop $groupGID; > &debug( "User: -$user-\nGroup: -$group-\nSID: > -$groupSID-\nGID: -$groupGID-"); > # Verifica se wbinfo -r retorna grupos do usu?rio ou nada > return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); > return 'ERR'; > } > > > Well, I think it happens because when it runs "wbinfo -n "$group" | cut > -d" " -f1`" and the group can't be verified it returns an empty string > to the variable groupSID, which in turn returns an empty string to the > variable groupGID when it runs `wbinfo -Y "$groupSID"`. Since the > command "`wbinfo -r \Q$user\E`", which will return the groups to a given > user can't verify it (because of the way the forest is configured - > can't verify groups from different domains), and it compares with the > value of the groupSID variable, it matches, cause they are both empty > variables. > > I altered very little of the script to be able to verify it and return > the right code to squid. > > It goes like this: > > sub check { > local($user, $group) = @_; > $groupSID = `wbinfo -n "$group" | cut -d" " -f1`; > chop $groupSID; > $groupGID = `wbinfo -Y "$groupSID"`; > chop $groupGID; > &debug( "User: -$user-\nGroup: -$group-\nSID: > -$groupSID-\nGID: -$groupGID-"); > return 'ERR' if($groupGID eq ""); # Verify if groupGID variable > is empty. > return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if > "wbinfo -r" command returns no value. > return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); > return 'ERR'; > } > > > I know it comes from a broken configuration (I mistyped the group name), > but it might happen to others as well and perhaps go unnoticed. > > Is it a samba thing? Am I even supposed to be talking to them instead of > you guys? > > Any comments will be greatly appreciated. > > Thanks in advance. > > Regards, > > Isnard Jaquet > > > > </pre> > </blockquote> > <pre wrap=""><!----> > </pre> > </blockquote> > <br> > </body> > </html> -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level bandwidth-capped VPSes available in WA -