Adrian, just opened the bug report #2080. Thanks, Isnard On Tue, 2007-09-11 at 16:16 +0800, Adrian Chadd wrote: > Its entirely possible you've just found and squished a bug! Cool! > > Just throw it into the Squid Bugzilla (linked off the squid > home page - http://www.squid-cache.org/) and someone will review > and commit changes if needed. > > thanks! > > > > > Adrian > > On Mon, Sep 10, 2007, Isnard Delacoste Jaquet Junior wrote: > > Hello, > > > > I'm using wbinfo_group.pl script and it works like a charm, but I ran > > into a condition where it reveals a false positive. > > > > The situation is as follows: > > > > I have squid 2.6-15 running with samba 3.0.22 authenticating against a > > AD forest which let's me authenticate users from domains other then my > > own (I'm one of the branches), but it's not able to verify the user > > groups. I think that's just the way it's configured. No complains. > > Now... I found an interesting problem when I have people from other > > domains trying to surf through squid within my domain branch. They get > > authenticated (which is fine), and when the request gets to the point > > where it has to verify the groups listed at the external acl and I if I > > get an invalid group name to be verified (I mistyped the group's name in > > squid.conf) wbinfo_group.pl runs the code bellow and returns OK instead > > of ERR: > > > > > > sub check { > > local($user, $group) = @_; > > $groupSID = `wbinfo -n "$group" | cut -d" " -f1`; > > chop $groupSID; > > $groupGID = `wbinfo -Y "$groupSID"`; > > chop $groupGID; > > &debug( "User: -$user-\nGroup: -$group-\nSID: > > -$groupSID-\nGID: -$groupGID-"); > > # Verifica se wbinfo -r retorna grupos do usu?rio ou nada > > return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); > > return 'ERR'; > > } > > > > > > Well, I think it happens because when it runs "wbinfo -n "$group" | cut > > -d" " -f1`" and the group can't be verified it returns an empty string > > to the variable groupSID, which in turn returns an empty string to the > > variable groupGID when it runs `wbinfo -Y "$groupSID"`. Since the > > command "`wbinfo -r \Q$user\E`", which will return the groups to a given > > user can't verify it (because of the way the forest is configured - > > can't verify groups from different domains), and it compares with the > > value of the groupSID variable, it matches, cause they are both empty > > variables. > > > > I altered very little of the script to be able to verify it and return > > the right code to squid. > > > > It goes like this: > > > > sub check { > > local($user, $group) = @_; > > $groupSID = `wbinfo -n "$group" | cut -d" " -f1`; > > chop $groupSID; > > $groupGID = `wbinfo -Y "$groupSID"`; > > chop $groupGID; > > &debug( "User: -$user-\nGroup: -$group-\nSID: > > -$groupSID-\nGID: -$groupGID-"); > > return 'ERR' if($groupGID eq ""); # Verify if groupGID variable > > is empty. > > return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if > > "wbinfo -r" command returns no value. > > return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); > > return 'ERR'; > > } > > > > > > I know it comes from a broken configuration (I mistyped the group name), > > but it might happen to others as well and perhaps go unnoticed. > > > > Is it a samba thing? Am I even supposed to be talking to them instead of > > you guys? > > > > Any comments will be greatly appreciated. > > > > Thanks in advance. > > > > Regards, > > > > Isnard Jaquet > > > > > > >