Search squid archive

Re: Squid doesn't notice AD group changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am not sure but, I am pretty sure that the group membership is better handled in the LDAP level.

The Kerberos side is for handling the password between the client and the server.

A LDAP search/lookup for a user group membership seems more reasonable to me.

 

I have not implemented this with AD but when I have implemented it with LDAP it worked as expected.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx

Zoom: Coming soon

 

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of heimarbeit123.99@xxxxxx
Sent: Wednesday, January 20, 2021 3:51 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Squid doesn't notice AD group changes

 

Hello all! :)

 

I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to my AD), so I can check for AD groups and therefore block websites and so on. Thanks to the very good documentation everything looks good so far!

But there is one realy big problem: Squid does not recognize AD group membership changes.

What does that mean?

 

Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join TestUser1 to Testgroup1 everything is working(the first time ever, this specific user is getting member of one of these two groups). SSO works and the forbidden websites get blocked. So far so good ;)

But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, shit is about to hit the fan!

After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, that TestUser1 is not member of TestGroup1 anymore, but now is a member of Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would still be in TestGroup1.

But if I now add a completly new user TestUser2 to the AD and then to Testgroup2, squid will treat this user corretly. If I then remove TestUser2 from Testgroup2 and add this user to TestGroup1, same shit again: winbind recognizes the change, but squid still treats TestUser2 like he would be member of TestGroup2.

 

What I tried:

-remove cache (net cache flush, "cache deny all", "no_cache deny all")

-remove squid with "purge" and reinstall it, still same problem

 

Can anyone help???

 

remember: Everything works with a new user, so I dont think kerberos is the problem. And winbind recognizes the change, so I think winbind is well configured too. Maybe squid is caching something(only explanation for me) but I don't see any caching.. Maybe someone had the same issue. Would be awesome, if someone could help me!

 

Regards

Philipp

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux