Hi, I have the following problem with an external acl: The Squid server is configured to authenticate users from AD (Negotiate and NTLM auth both work fine). The problem I have is with an external acl to check group permissions: external_acl_type AD-Groups ttl=10 children=60 %LOGIN /usr/lib/squid3/wbinfo_group.pl Now, debugging the wbinfo_group.pl I can see that: Got USER@MY.DOMAIN AD_GROUP from squid Usuario: USER@MY.DOMAIN User: - USER@MY.DOMAIN- Group: -AD_GROUP- SID: -S-1-5-21-1472344799-869232178-1847928074-74927- GID: -10081- Could not get groups for user USER@MY.DOMAIN Sending ERR to squid It correctly gives OK if the user is just the USER, but why is Squid passing the user in this format USER@MY.DOMAIN? I understand it should strip the domain part off(?)... Wbinfo -t, wbinfo -u, wbinfo -g all work fine. wbinfo -r works too, if the user is given in a correct format (USER or DOMAIN\\USER). smb.conf: [global] interfaces = 127.0.0.1/8 eth0 workgroup = DOMAIN netbios name = squid local master = no realm = MY.DOMAIN security = ads encrypt passwords = yes password server = dc1.my.domain, dc2.my.domain, * load printers = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum groups = yes winbind enum users = yes winbind use default domain = yes client use spnego = yes debug level = 2 squid.conf (just the auth lines): auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -s GSS_C_NO_NAME auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN Squid version 3.1.6. Regards, Tuukka
