Ugh, I am trying to get Squid to deny access to a particular AD group, but when I enable the rule, then it denys everyone.
This is what I have in squid.conf
# NTLMauth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 15auth_param ntlm keep_alive on# Limit access for Factory usersexternal_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_aclacl FactoryDeny external nt_group sec_deny_internethttp_access deny FactoryDenyacl auth proxy_auth REQUIREDhttp_access deny !authhttp_access allow auth
-=-
I have verified the ext_wbinfo_group_acl works:
[root@fac-proxy squid]# ./ext_wbinfo_group_acl -dDebugging mode ON.user sec_vpn_usersGot user sec_vpn_users from squidUser: -user-Group: -sec_vpn_users-SID: -S-1-5-21-1978138449-291607360-3720246513-19354-GID: -1677721-Sending OK to squidOKuser sec_deny_internetGot user sec_deny_internet from squidUser: -user-Group: -sec_deny_internet-SID: -S-1-5-21-1978138449-291607360-3720246513-18148-GID: -1677721-Sending ERR to squidERR
Because this is a production server there's a bunch of traffic on it so I can't catch too much of the log, but this is what I can see with debugging turned on:
2016/09/13 23:22:32.552 kid1| Acl.cc(336) matches: ACLList::matches: checking FactoryDeny2016/09/13 23:22:32.552 kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'FactoryDeny'2016/09/13 23:22:32.552 kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'FactoryDeny' is -12016/09/13 23:22:32.552 kid1| Acl.cc(343) matches: FactoryDeny failed.2016/09/13 23:22:32.552 kid1| Acl.cc(354) matches: FactoryDeny result is false
If the result is false then the deny should be false and it should continue to the next rule, right?
Please help, I don't get it...
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
