On 4/08/2016 10:16 p.m., Garth wrote: > Hi All > > I am struggling with delay pools and Group AD. I have managed to narrow > down the problem to the AD Groups. If I do user auth, the delay pool > works perfectly. I have tried multiple groups from old to new just > incase. The AD Groups work for normal site access in the http_access > rules etc. > > Is there a known issue with this? Yes. See the FAQ: <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs> > Is there a way to confirm the group > lookup is correct by the squid/winbind? > By running your group helper manually from the command line. Entering the username (in NTLM format) and group nam, separated by a space. > Squid Cache: Version 3.1.23 > > Centos 6.8 > There is one other catch with older Squid RHEL/CentOS packages. RHEL used to patch Squid so the cache_effective_group directive had a default value. This actively prevents Squid being setup as a member of the winbind_priv group in addition to its normal 'proxy' or 'nobody' group. You have to build your own proxy without that patch to use Winbind on RHEL and CentOS. I see that you are using the LDAP helper (not Winbinid helper you said you were). So this may not be an issue, but YMMV. > external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R > -b "dc=example,dc=example" -f > "(&(sAMAccountName=%v)(memberOf=cn=%a,ou=Security,ou=groups,dc=example,dc=example))" > -D test@EXAMPLE.EXAMPLE -w testing -h 192.168.1.254 > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 50 :-( this month is the 10-year anniversary since MiS announced NTLM was being deprecated and removed from their software. And the 5-year anniversary since that process was apparently completed. It is very sad to see such a broken protocol still being used. > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 50 > > acl proxyusers-delaypool external ldap_group proxyusers-delaypool > acl proxyusers-nondelaypool external ldap_group proxyusers-nondelaypool > acl ftp.is url_regex ftp.is.co.za > > acl socialsites url_regex "/etc/squid/socialsites.txt" > > In the socialsites is the following: > > .facebook.com > .facebook.co.za > .facebook.com:443 > .youtube.com:443 > .googlevideo. > .fbcdn.net > .akamaihd.net > .vimeocdn.com:443 > > delay_pools 4 > delay_class 1 1 > delay_class 2 2 > delay_class 3 2 > delay_class 4 1 > delay_parameters 1 244000/552000 > delay_parameters 2 524000/525000 524000/525000 > delay_parameters 3 244000/254000 244000/254000 > delay_parameters 4 244000/552000 > delay_access 1 allow socialsites proxyusers-delaypool > delay_access 2 allow proxyusers-nondelaypool > delay_access 3 allow proxyusers-delaypool > delay_access 4 allow ftp.is proxyusers-delaypool > > I am testing via wget and proxy input details into the bash profile. I > can confirm the username appears in the squid logs. > > Any ideas?\ With Squid-3.1 you are limited to running the group lookup ACL in one of the slow access control. Usually http_access. Then hoping that it stays in memory long enough for the delay_access lookup to find it there and not "fail" because no lookup is possible. With the recent Squid versions you can make a wrapper script** that returns the group names to Squid-3.5 as annotations like ' group="Foo" ', and you have a 'note' type ACL checking the groups in delay_access. ** if you (or anyone) want to try patching the helper to do it without a wrapper that would be very welcome for merging to Squid-4. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
