[squid-users] Squid doesn't notice AD group changes

Klaus Brandl klaus_brandl at genua.de
Wed Jan 20 16:21:18 UTC 2021 

some similar problem here...

What type of acl do you use for the group selection? Could you please
post the related config lines?

Remember, the client caches also the group informations, i have to
logout/login to let this take effect.
(check with "whoami /groups")

Regards

Klaus

Am Mittwoch, den 20.01.2021, 14:50 +0100 schrieb
heimarbeit123.99 at web.de:
> Hello all! :)
>  
> I am running squid 4.1 on the newest Linux Mint with Kerberos
> SSO(connected to my AD), so I can check for AD groups and therefore
> block websites and so on. Thanks to the very good documentation
> everything looks good so far!
> But there is one realy big problem: Squid does not recognize AD group
> membership changes.
> What does that mean?
>  
> Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I
> join TestUser1 to Testgroup1 everything is working(the first time
> ever, this specific user is getting member of one of these two
> groups). SSO works and the forbidden websites get blocked. So far so
> good ;)
> But if I remove TestUser1 from TestGroup1 and make him a member of
> Testgroup2, shit is about to hit the fan!
> After some seconds(winbind cache time = 30 in smb.conf) winbind
> recognizes, that TestUser1 is not member of TestGroup1 anymore, but
> now is a member of Testgroup2. But Squid doesn't!! Squid further
> treats TestUser1 as he would still be in TestGroup1.
> But if I now add a completly new user TestUser2 to the AD and then to
> Testgroup2, squid will treat this user corretly. If I then remove
> TestUser2 from Testgroup2 and add this user to TestGroup1, same shit
> again: winbind recognizes the change, but squid still treats
> TestUser2 like he would be member of TestGroup2.
>  
> What I tried:
> -remove cache (net cache flush, "cache deny all", "no_cache deny
> all")
> -remove squid with "purge" and reinstall it, still same problem
>  
> Can anyone help???
>  
> remember: Everything works with a new user, so I dont think kerberos
> is the problem. And winbind recognizes the change, so I think winbind
> is well configured too. Maybe squid is caching something(only
> explanation for me) but I don't see any caching.. Maybe someone had
> the same issue. Would be awesome, if someone could help me!
>  
> Regards
> Philipp
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list