Hi, Update: If I change "winbind use default domain = no" the wbinfo_group.pl receives the correct username. This OK, just that the basic auth users now need to include the domain with their username. I still would like to know why wbinfo_group.pl receives the username in form of USER@MY.DOMAIN and not as DOMAIN\USER or just USER as I understand it should. Regards, Tuukka -----Original Message----- From: Laurikainen, Tuukka [mailto:t.laurikainen@xxxxxxxxxxxxxx] Sent: Thursday, January 03, 2013 6:50 PM To: squid-users@xxxxxxxxxxxxxxx Subject: wbinfo_group.pl receives user and domain in wrong format? Hi, I have the following problem with an external acl: The Squid server is configured to authenticate users from AD (Negotiate and NTLM auth both work fine). The problem I have is with an external acl to check group permissions: external_acl_type AD-Groups ttl=10 children=60 %LOGIN /usr/lib/squid3/wbinfo_group.pl Now, debugging the wbinfo_group.pl I can see that: Got USER@MY.DOMAIN AD_GROUP from squid Usuario: USER@MY.DOMAIN User: - USER@MY.DOMAIN- Group: -AD_GROUP- SID: -S-1-5-21-1472344799-869232178-1847928074-74927- GID: -10081- Could not get groups for user USER@MY.DOMAIN Sending ERR to squid It correctly gives OK if the user is just the USER, but why is Squid passing the user in this format USER@MY.DOMAIN? I understand it should strip the domain part off(?)... Wbinfo -t, wbinfo -u, wbinfo -g all work fine. wbinfo -r works too, if the user is given in a correct format (USER or DOMAIN\\USER). smb.conf: [global] interfaces = 127.0.0.1/8 eth0 workgroup = DOMAIN netbios name = squid local master = no realm = MY.DOMAIN security = ads encrypt passwords = yes password server = dc1.my.domain, dc2.my.domain, * load printers = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum groups = yes winbind enum users = yes winbind use default domain = yes client use spnego = yes debug level = 2 squid.conf (just the auth lines): auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -s GSS_C_NO_NAME auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MY.DOMAIN Squid version 3.1.6. Regards, Tuukka
