Re: [squid-users] winbind authenticator syncronization

It's standard (and configurable) behavior.

Look at the ttl and negative_ttl parameters of the external_acl definition
in squid.conf. The default time is one hour which may be a little long.

smb.conf's "winbind cache time" might come into play as well. It's default
is only 15 seconds, but it's a parameter to be aware of if your tweaking
these values for security purposes.

Jerry

----- Original Message -----
From: "Federico Lombardo" <egopfe@hotmail.com>
To: "Federico Lombardo" <egopfe@hotmail.com>; <squid-users@squid-cache.org>
Sent: Friday, September 27, 2002 5:29 AM
Subject: Re: [squid-users] winbind authenticator syncronization

> I've realized that is only needed to RESTART squid... but I'm wondering
why
> wb_group caches the credential....
> Is safe??
>
>
>
> ----- Original Message -----
> From: "Federico Lombardo" <egopfe@hotmail.com>
> To: <squid-users@squid-cache.org>
> Sent: Friday, September 27, 2002 10:56 AM
> Subject: [squid-users] winbind authenticator syncronization
>
>
> > Scenario:
> >
> > + NT4 Domain, with a PDC and a BDC.
> >
> > + Squid proxy 2.5STABLE1 on a simple linux machine, samba 2.2.5 using
> > wb_group as external acl for authentication.
> >
> >
> > The problem is that when I change Group Credential for an user the
> > authenticator is not coherent with the scenario.
> >
> > Example:
> >
> >
> > Domain unser USER1, Group INTERNETFULL.
> >
> > (in the acl, only INTERNETFULL can surf web)
> >
> > On my squid machine I do /usr/squid/libexec/wb_group
> > Domain\\USER1 InternetFull
> > OK
> >
> > The user1 surf on web without any problem....
> >
> > After that I change User1 credential, removing INTERNETFULL, syncronize
> PDC
> > with BDC and logoff/logon on the USER1 pc.
> >
> > On my squid machine I do /usr/squid/libexec/wb_group
> >
> > Domain\\USER1 InternetFull
> > ERR
> >
> >
> > But my USER1 still go on surfing on the web
> >
> >
> >
> > Idem when I do a inversal test, example:
> >
> > USER2 without InternetFull
> >
> > On my squid machine I do /usr/squid/libexec/wb_group
> > Domain\\USER2 InternetFull
> > ERR
> >
> > Infact, it can't surf web.
> >
> > Now add credential InternetFull on the user, syncronize PDC with BDC and
> > logoff/logon on the USER2 pc.
> > On my squid machine I do /usr/squid/libexec/wb_group
> > Domain\\USER2 InternetFull
> > OK
> >
> > Connect IE with the proxy, and It continues to receive ACCESS DENIED...
> > Control access.log and I can see Domain\\USER2 bot with only
> > TCP_DENIED403...
> >
> >
> > Where is the problem ???
> >
>
Received on Fri Sep 27 2002 - 05:20:25 MDT