[squid-users] wbinfo_group.pl - false positive under certain conditions

Hello,

I'm using wbinfo_group.pl script and it works like a charm, but I ran
into a condition where it reveals a false positive.

The situation is as follows:

I have squid 2.6-15 running with samba 3.0.22 authenticating against a
AD forest which let's me authenticate users from domains other then my
own (I'm one of the branches), but it's not able to verify the user
groups. I think that's just the way it's configured. No complains.
Now... I found an interesting problem when I have people from other
domains trying to surf through squid within my domain branch. They get
authenticated (which is fine), and when the request gets to the point
where it has to verify the groups listed at the external acl and I if I
get an invalid group name to be verified (I mistyped the group's name in
squid.conf) wbinfo_group.pl runs the code bellow and returns OK instead
of ERR:

sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
        chop $groupSID;
        $groupGID = `wbinfo -Y "$groupSID"`;
        chop $groupGID;
        &debug( "User: -$user-\nGroup: -$group-\nSID:
-$groupSID-\nGID: -$groupGID-");
        # Verifica se wbinfo -r retorna grupos do usuário ou nada
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

Well, I think it happens because when it runs "wbinfo -n "$group" | cut
-d" " -f1`" and the group can't be verified it returns an empty string
to the variable groupSID, which in turn returns an empty string to the
variable groupGID when it runs `wbinfo -Y "$groupSID"`. Since the
command "`wbinfo -r \Q$user\E`", which will return the groups to a given
user can't verify it (because of the way the forest is configured -
can't verify groups from different domains), and it compares with the
value of the groupSID variable, it matches, cause they are both empty
variables.

I altered very little of the script to be able to verify it and return
the right code to squid.

It goes like this:

sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
        chop $groupSID;
        $groupGID = `wbinfo -Y "$groupSID"`;
        chop $groupGID;
        &debug( "User: -$user-\nGroup: -$group-\nSID:
-$groupSID-\nGID: -$groupGID-");
        return 'ERR' if($groupGID eq ""); # Verify if groupGID variable
is empty.
        return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if
"wbinfo -r" command returns no value.
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

I know it comes from a broken configuration (I mistyped the group name),
but it might happen to others as well and perhaps go unnoticed.

Is it a samba thing? Am I even supposed to be talking to them instead of
you guys?

Any comments will be greatly appreciated.

Thanks in advance.

Regards,

Isnard Jaquet
Received on Mon Sep 10 2007 - 12:43:10 MDT