[squid-users] Squid NTLM AD Group Delay Pools

Thu Aug 4 12:07:36 UTC 2016

On 4/08/2016 10:16 p.m., Garth wrote:
> Hi All
> 
> I am struggling with delay pools and Group AD. I have managed to narrow
> down the problem to the AD Groups. If I do user auth, the delay pool
> works perfectly. I have tried multiple groups from old to new just
> incase. The AD Groups work for normal site access in the http_access
> rules etc.
> 
> Is there a known issue with this?

Yes. See the FAQ:
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>

> Is there a way to confirm the group
> lookup is correct by the squid/winbind?
> 

By running your group helper manually from the command line. Entering
the username (in NTLM format) and group nam, separated by a space.

> Squid Cache: Version 3.1.23
> 
> Centos 6.8
> 

There is one other catch with older Squid RHEL/CentOS packages. RHEL
used to patch Squid so the cache_effective_group directive had a default
value. This actively prevents Squid being setup as a member of the
winbind_priv group in addition to its normal 'proxy' or 'nobody' group.
You have to build your own proxy without that patch to use Winbind on
RHEL and CentOS.

I see that you are using the LDAP helper (not Winbinid helper you said
you were). So this may not be an issue, but YMMV.

> external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R
> -b "dc=example,dc=example" -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,ou=Security,ou=groups,dc=example,dc=example))"
> -D test at EXAMPLE.EXAMPLE -w testing -h 192.168.1.254
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50

:-( this month is the 10-year anniversary since MiS announced NTLM was
being deprecated and removed from their software. And the 5-year
anniversary since that process was apparently completed. It is very sad
to see such a broken protocol still being used.

> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 50
> 
> acl proxyusers-delaypool external ldap_group proxyusers-delaypool
> acl proxyusers-nondelaypool external ldap_group proxyusers-nondelaypool
> acl ftp.is url_regex ftp.is.co.za
> 
> acl socialsites url_regex "/etc/squid/socialsites.txt"
> 
> In the socialsites is the following:
> 
> .facebook.com
> .facebook.co.za
> .facebook.com:443
> .youtube.com:443
> .googlevideo.
> .fbcdn.net
> .akamaihd.net
> .vimeocdn.com:443
> 
> delay_pools 4
> delay_class 1 1
> delay_class 2 2
> delay_class 3 2
> delay_class 4 1
> delay_parameters 1 244000/552000
> delay_parameters 2 524000/525000 524000/525000
> delay_parameters 3 244000/254000 244000/254000
> delay_parameters 4 244000/552000
> delay_access 1 allow socialsites proxyusers-delaypool
> delay_access 2 allow proxyusers-nondelaypool
> delay_access 3 allow proxyusers-delaypool
> delay_access 4 allow ftp.is proxyusers-delaypool
> 
> I am testing via wget and proxy input details into the bash profile. I
> can confirm the username appears in the squid logs.
> 
> Any ideas?\

With Squid-3.1 you are limited to running the group lookup ACL in one of
the slow access control. Usually http_access. Then hoping that it stays
in memory long enough for the delay_access lookup to find it there and
not "fail" because no lookup is possible.

With the recent Squid versions you can make a wrapper script** that
returns the group names to Squid-3.5 as annotations like ' group="Foo"
', and you have a 'note' type ACL checking the groups in delay_access.

** if you (or anyone) want to try patching the helper to do it without a
wrapper that would be very welcome for merging to Squid-4.

Amos