On 14/09/2016 5:43 p.m., Jason Leshchyshyn wrote: > Ugh, I am trying to get Squid to deny access to a particular AD group, but when I enable the rule, then it denys everyone. > > > This is what I have in squid.conf > > > > > > > # NTLM > > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 15 > > auth_param ntlm keep_alive on > > > > # Limit access for Factory users > > external_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl > > acl FactoryDeny external nt_group sec_deny_internet > > http_access deny FactoryDeny > Move all that below the "deny !auth" line. One would expect clients to login before group checking. Order is important. > > acl auth proxy_auth REQUIRED > > http_access deny !auth > > http_access allow auth > > > > > > -=- > I have verified the ext_wbinfo_group_acl works: > > > <blockquote> > > > [root@fac-proxy squid]# ./ext_wbinfo_group_acl -d > > Debugging mode ON. > > user sec_vpn_users > > Got user sec_vpn_users from squid This is irrelevant sec_vpn_users is not a group in the config above. > > user sec_deny_internet > > Got user sec_deny_internet from squid > > User: -user- > > Group: -sec_deny_internet- > > SID: -S-1-5-21-1978138449-291607360-3720246513-18148- > > GID: -1677721- > > Sending ERR to squid > Meaning the "deny FactoryDeny" is false (no deny action) when the username is "user". > > Because this is a production server there's a bunch of traffic on it so I can't catch too much of the log, but this is what I can see with debugging turned on: > > > <blockquote> > > > > 2016/09/13 23:22:32.552 kid1| Acl.cc(336) matches: ACLList::matches: checking FactoryDeny > > > 2016/09/13 23:22:32.552 kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'FactoryDeny' > > > 2016/09/13 23:22:32.552 kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'FactoryDeny' is -1 > Login credentials are unknown (-1). Authentication needs to be performed and the ACLs checked again. > > 2016/09/13 23:22:32.552 kid1| Acl.cc(343) matches: FactoryDeny failed. > > > 2016/09/13 23:22:32.552 kid1| Acl.cc(354) matches: FactoryDeny result is false > </blockquote> > > > If the result is false then the deny should be false and it should continue to the next rule, right? > Normally yes, but authentication is involved here and that makes it a bit more complex. Since the external_acl_type uses %LOGIN and responds with -1, that is a signal that the false actually means Squid is to generate the 407/401 response to make authentication happen. The http_access action is not known yet, and wont be until the client presents some credentials. The suggestion above to place the authentication above the group lookup simplifies things again by ensuring that auth has already happened and this special-case situation with %LOGIN does not happen very often. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users