On Wed, 03 Mar 2010 22:38:36 +0100, Thomas Klein <mailinglist-postfixbuch@xxxxxxxxx> wrote: > Mike Ely schrieb: >> On 3/3/10 12:37 PM, "Thomas Klein" <mailinglist-postfixbuch@xxxxxxxxx> >> wrote: >> >> >>> Hello Squid-Admins, >>> >>> i'm in the first steps on installing squid in a network of a customer. >>> Squid asks one of the domain controllers to authenticate the users via >>> ntlm. I have three groups of users in the AD to regulate the internet >>> access. This works so far. >>> >>> The only buggy thing is, if i remove a user completely from all groups, >>> the access over squid should be no longer possible. But it seems that >>> squid is caching the result of the query in any way (or another >>> component, that did the query perhaps?), because if i remove a user from >>> all groups, the access is still possible through squid. If i wait for, >>> lets say one or a half hour, the removal of the user from the group gets >>> recognized, and the access is no more possible. >>> Is there a variable for setting this value, how long a query is cached? >>> A reboot and a restart of squid does not change anything. >>> >>> Thanks for a short answer & regards >>> Thomas >>> >>> >> >> How many domain controllers are there in this network? What you are >> experiencing may just be a case of slow propagation between DCs. >> >> Cheers, >> Mike >> >> > Hmm... i have two domain controllers (at the same location) and i did > the changes of the group members on the same DC, that is queried from > Squid. In another AD-forest tree are 5 domain controllers (different > locations), but i think they aren't queried by squid. > > best regards > Thomas Credentials may be stored in squid memory, but a restart erases that. Your test has already proven it's not a Squid issue directly, but something else in the network caching the details. Possibly it may be re-seeding Squid and extending the period, but thats as close as it gets. Amos