Re: [squid-users] winbind authenticator syncronization

From: Federico Lombardo <egopfe@dont-contact.us>
Date: Fri, 27 Sep 2002 11:29:27 +0200

I've realized that is only needed to RESTART squid... but I'm wondering why
wb_group caches the credential....
Is safe??

----- Original Message -----
From: "Federico Lombardo" <egopfe@hotmail.com>
To: <squid-users@squid-cache.org>
Sent: Friday, September 27, 2002 10:56 AM
Subject: [squid-users] winbind authenticator syncronization

> Scenario:
>
> + NT4 Domain, with a PDC and a BDC.
>
> + Squid proxy 2.5STABLE1 on a simple linux machine, samba 2.2.5 using
> wb_group as external acl for authentication.
>
>
> The problem is that when I change Group Credential for an user the
> authenticator is not coherent with the scenario.
>
> Example:
>
>
> Domain unser USER1, Group INTERNETFULL.
>
> (in the acl, only INTERNETFULL can surf web)
>
> On my squid machine I do /usr/squid/libexec/wb_group
> Domain\\USER1 InternetFull
> OK
>
> The user1 surf on web without any problem....
>
> After that I change User1 credential, removing INTERNETFULL, syncronize
PDC
> with BDC and logoff/logon on the USER1 pc.
>
> On my squid machine I do /usr/squid/libexec/wb_group
>
> Domain\\USER1 InternetFull
> ERR
>
>
> But my USER1 still go on surfing on the web
>
>
>
> Idem when I do a inversal test, example:
>
> USER2 without InternetFull
>
> On my squid machine I do /usr/squid/libexec/wb_group
> Domain\\USER2 InternetFull
> ERR
>
> Infact, it can't surf web.
>
> Now add credential InternetFull on the user, syncronize PDC with BDC and
> logoff/logon on the USER2 pc.
> On my squid machine I do /usr/squid/libexec/wb_group
> Domain\\USER2 InternetFull
> OK
>
> Connect IE with the proxy, and It continues to receive ACCESS DENIED...
> Control access.log and I can see Domain\\USER2 bot with only
> TCP_DENIED403...
>
>
> Where is the problem ???
>
Received on Fri Sep 27 2002 - 03:30:37 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:26 MST