<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>I am not sure but, I am pretty sure that the group membership is better handled in the LDAP level.<o:p></o:p></p><p class=MsoNormal>The Kerberos side is for handling the password between the client and the server.<o:p></o:p></p><p class=MsoNormal>A LDAP search/lookup for a user group membership seems more reasonable to me.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have not implemented this with AD but when I have implemented it with LDAP it worked as expected.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eliezer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>----<o:p></o:p></p><p class=MsoNormal>Eliezer Croitoru<o:p></o:p></p><p class=MsoNormal>Tech Support<o:p></o:p></p><p class=MsoNormal>Mobile: +972-5-28704261<o:p></o:p></p><p class=MsoNormal>Email: <a href="mailto:ngtech1ltd@gmail.com"><span style='color:blue'>ngtech1ltd@gmail.com</span></a><o:p></o:p></p><p class=MsoNormal>Zoom: Coming soon<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> <b>On Behalf Of </b>heimarbeit123.99@web.de<br><b>Sent:</b> Wednesday, January 20, 2021 3:51 PM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> [squid-users] Squid doesn't notice AD group changes<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Hello all! :)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to my AD), so I can check for AD groups and therefore block websites and so on. Thanks to the very good documentation everything looks good so far!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>But there is one realy big problem: Squid does not recognize AD group membership changes.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>What does that mean?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join TestUser1 to Testgroup1 everything is working(the first time ever, this specific user is getting member of one of these two groups). SSO works and the forbidden websites get blocked. So far so good ;)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, shit is about to hit the fan!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, that TestUser1 is not member of TestGroup1 anymore, but now is a member of Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would still be in TestGroup1.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>But if I now add a completly new user TestUser2 to the AD and then to Testgroup2, squid will treat this user corretly. If I then remove TestUser2 from Testgroup2 and add this user to TestGroup1, same shit again: winbind recognizes the change, but squid still treats TestUser2 like he would be member of TestGroup2.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>What I tried:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>-remove cache (net cache flush, "cache deny all", "no_cache deny all")<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>-remove squid with "purge" and reinstall it, still same problem<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Can anyone help???<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>remember: Everything works with a new user, so I dont think kerberos is the problem. And winbind recognizes the change, so I think winbind is well configured too. Maybe squid is caching something(only explanation for me) but I don't see any caching.. Maybe someone had the same issue. Would be awesome, if someone could help me!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Regards<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Philipp<o:p></o:p></span></p></div></div></div></div></body></html>