[squid-users] Squid Can't catch AD user's group
Tevfik Ceydeliler
tevfik.ceydeliler at gmail.com
Mon Sep 23 12:45:27 UTC 2019
Hi,
My squid ACL can't catch AD user's group of membership.That's why can't
send the request correct outgoing interface
Users member of group_g_internet_socialmediausers and its correct interface
IP address is 10.65.12.247. 10.65.12.250 is general outgoing address
### NTLM
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostic
> --helper-protocol=squid-2.5-ntlmssp --domain=COMPANY
> auth_param ntlm children 100
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm keep_alive off
group_g_internet_socialmediausers.acl:
> CN=G_Internet_SocialMedisUsers,OU=Internet Groups,DC=company,DC=grp
and Configuration file:
> acl group_g_internet_socialmediausers external nt_group
> "/etc/squid/group_g_internet_socialmediausers.acl"
> http_access allow group_g_internet_socialmediausers
> tcp_outgoing_address 10.65.12.250
and outgoing part:
tcp_outgoing_address 10.65.12.247 group_g_internet_socialmediausers
cache.log shows:
> (truncated)
> 2019/09/23 15:31:45.811 kid1| 28,5| Checklist.cc(400) bannedAction: Action
> 'ALLOWED/0is not banned
> 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking
> http_access#10
> 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking
> group_g_internet_socialmediausers
> 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked:
> group_g_internet_socialmediausers = 0
> 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#10 = 0
> (truncated)
> 2019/09/23 15:31:45.811 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x7fff26947320 checking fast ACLs
> 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking
> tcp_outgoing_address 10.65.12.247
> 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking
> (tcp_outgoing_address 10.65.12.247 line)
> 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking
> group_g_internet_socialmediausers
> 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked:
> group_g_internet_socialmediausers = 0
> 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked:
> (tcp_outgoing_address 10.65.12.247 line) = 0
> 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked:
> tcp_outgoing_address 10.65.12.247 = 0
> 2019/09/23 15:31:46.094 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x7fff26946d40 answer AUTH_REQUIRED for aclMatchExternal exception
> 2019/09/23 15:31:46.094 kid1| 28,3| Acl.cc(158) matches: checked:
> group_g_internet_socialmediausers = -1
> 2019/09/23 15:31:46.094 kid1| 28,3| Acl.cc(158) matches: checked:
> (tcp_outgoing_address 10.65.12.247 line) = -1
> 2019/09/23 15:31:46.094 kid1| 28,3| Acl.cc(158) matches: checked:
> tcp_outgoing_address 10.65.12.247 = -1
> 2019/09/23 15:31:46.094 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x7fff26946d40 checking fast ACLs
> (truncated)
> 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x7fff26947320 checking fast ACLs
> 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking
> tcp_outgoing_address 10.65.12.247
> 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking
> (tcp_outgoing_address 10.65.12.247 line)
> 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking
> group_g_internet_socialmediausers
> 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked:
> group_g_internet_socialmediausers = 0
> 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked:
> (tcp_outgoing_address 10.65.12.247 line) = 0
> 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked:
> tcp_outgoing_address 10.65.12.247 = 0
> 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x7fff26947320 answer DENIED for ACLs failed to match
> 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x7fff26947320 checking fast ACLs
> 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking
> tcp_outgoing_address 10.65.12.250
> 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking
> (tcp_outgoing_address 10.65.12.250 line)
> 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking
> 8_18_sinirsiz
> 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked:
> 8_18_sinirsiz = 1
> 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked:
> (tcp_outgoing_address 10.65.12.250 line) = 1
> 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked:
> tcp_outgoing_address 10.65.12.250 = 1
> 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x7fff26947320 answer ALLOWED for match
> 2019/09/23 15:31:52.069 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff26947320
> 2019/09/23 15:31:52.069 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7fff26947320
> 2019/09/23 15:31:52.069 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff269470c0
> 2019/09/23 15:31:52.069 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7fff269470c0
> 2019/09/23 15:31:52.069 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x56416a6dc118
> 2019/09/23 15:31:52.069 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x56416a6dc118
> 2019/09/23 15:31:54.699 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x7fff269480a0 checking fast ACLs
> 2019/09/23 15:31:54.700 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log /var/log/squid/access.log
> 2019/09/23 15:31:54.700 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log /var/log/squid/access.log line)
> 2019/09/23 15:31:54.700 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log /var/log/squid/access.log line) = 1
> 2019/09/23 15:31:54.700 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log /var/log/squid/access.log = 1
> 2019/09/23 15:31:54.700 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x7fff269480a0 answer ALLOWED for match
> 2019/09/23 15:31:54.700 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff269480a0
> 2019/09/23 15:31:54.700 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7fff269480a0
> 2019/09/23 15:31:59.925 kid1| 28,8| Acl.cc(355) aclCacheMatchFlush:
> aclCacheMatchFlush called for cache 0x56416a71d1a8
> 2019/09/23 15:33:11.925 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x7fff269480a0 checking fast ACLs
> 2019/09/23 15:33:11.925 kid1| 28,5| Acl.cc(138) matches: checking
> cache_access_log /var/log/squid/access.log
> 2019/09/23 15:33:11.925 kid1| 28,5| Acl.cc(138) matches: checking
> (cache_access_log /var/log/squid/access.log line)
> 2019/09/23 15:33:11.925 kid1| 28,3| Acl.cc(158) matches: checked:
> (cache_access_log /var/log/squid/access.log line) = 1
> 2019/09/23 15:33:11.925 kid1| 28,3| Acl.cc(158) matches: checked:
> cache_access_log /var/log/squid/access.log = 1
> 2019/09/23 15:33:11.925 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x7fff269480a0 answer ALLOWED for match
> 2019/09/23 15:33:11.925 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff269480a0
> 2019/09/23 15:33:11.925 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7fff269480a0
> 2019/09/23 15:33:11.925 kid1| 28,8| Acl.cc(355) aclCacheMatchFlush:
> aclCacheMatchFlush called for cache 0x56416a6ec138
At the end user routes to 10.65.12.250 which is not allowed for this users.
What is wrong?
--
Tevfik Ceydeliler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190923/4f1ce2f3/attachment.html>
More information about the squid-users
mailing list