[squid-users] Cannot get ACL to work

Jason Leshchyshyn alphabet at shaw.ca
Wed Sep 14 05:43:44 UTC 2016


Ugh, I am trying to get Squid to deny access to a particular AD group, but when I enable the rule, then it denys everyone. 


This is what I have in squid.conf 






# NTLM 

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 

auth_param ntlm children 15 

auth_param ntlm keep_alive on 



# Limit access for Factory users 

external_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl 

acl FactoryDeny external nt_group sec_deny_internet 

http_access deny FactoryDeny 




acl auth proxy_auth REQUIRED 

http_access deny !auth 

http_access allow auth 





-=- 
I have verified the ext_wbinfo_group_acl works: 


<blockquote>


[root at fac-proxy squid]# ./ext_wbinfo_group_acl -d 

Debugging mode ON. 

user sec_vpn_users 

Got user sec_vpn_users from squid 

User: -user- 

Group: -sec_vpn_users- 

SID: -S-1-5-21-1978138449-291607360-3720246513-19354- 

GID: -1677721- 

Sending OK to squid 

OK 

user sec_deny_internet 

Got user sec_deny_internet from squid 

User: -user- 

Group: -sec_deny_internet- 

SID: -S-1-5-21-1978138449-291607360-3720246513-18148- 

GID: -1677721- 

Sending ERR to squid 

ERR 
</blockquote>




Because this is a production server there's a bunch of traffic on it so I can't catch too much of the log, but this is what I can see with debugging turned on: 


<blockquote>



2016/09/13 23:22:32.552 kid1| Acl.cc(336) matches: ACLList::matches: checking FactoryDeny 


2016/09/13 23:22:32.552 kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'FactoryDeny' 


2016/09/13 23:22:32.552 kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'FactoryDeny' is -1 


2016/09/13 23:22:32.552 kid1| Acl.cc(343) matches: FactoryDeny failed. 


2016/09/13 23:22:32.552 kid1| Acl.cc(354) matches: FactoryDeny result is false 
</blockquote>




If the result is false then the deny should be false and it should continue to the next rule, right? 


Please help, I don't get it... 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160913/d08bf45f/attachment-0001.html>


More information about the squid-users mailing list