1

I am trying to get a Squid Proxy running with Kerberos+Samba+Winbind, which is connected to my AD. Everything works great so far! krb auth working wbinfo -u, -a, -g working

I made some new testing-groups and testing-users in the AD for testing the proxy(test1 test2 test3 test4 are groups and testuser1 testuser2 testuser3 testuser4 are users).

Here is my problem: The testuser4 is member of test4. Logging in as testuser4 and everything works great(SSO works and squid is blocking the content I want to get blocked for test4, so everything is fine). But as soon as I remove the testuser4 from test4 and add this user to another group, for example test3, shit is about to hit the fan! after some minutes(winbind cache time = 600 in my smb.conf) my ext_wbinfo_group_acl is updating and telling me, that testuser4 is now in test3 (testuser4 test4 --> ERR but testuser4 test3 --> OK). But Squid seems to not care at all! It still treats testuser4 as the user would still be part in test4.

In squid.conf I tried to cache deny all but no luck so far. I also did "service squid restart" and I even did "sudo apt-get purge squid" and reinstalled it, but same problem occurs over and over again. I realy think, that squid is the problem here, because winbind is updating as it should. Also in /var/lib/squid/cache.log is written:

2021/01/20 08:29:06 kid1| helperStatefulOpenServers: No 'negotiate_wrapper_auth' processes needed. 2021/01/20 08:29:06 kid1| helperOpenServers: Starting 0/5 'ext_wbinfo_group_acl' processes 2021/01/20 08:29:06 kid1| helperOpenServers: No 'ext_wbinfo_group_acl' processes needed.

But only, if I login with a user, I anytime back in the past already logged in. If I create a very new user "testuser5" and add him to test3, then everything works again. But as soon as I move testuser5 to test1 or whatever, winbind will update after some time(meaning its giving me the correct output) but squid will treat testuser5 always as this user would be part of test3.

If you need any config or whatever I will update this thread asap.

I hope you can help me, cheers!

Shouma
  • 21
  • 2
  • Did you log off the user from the testing client machine? Group membership is passed only at logon and will not change as long as the session is active. – bjoster Jan 27 '21 at 15:26
  • yes I did, but it did not work. I did wait some time too(like 2 days). – Shouma Feb 23 '21 at 06:36

0 Answers0