Squid doesn't notice AD group changes

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid doesn't notice AD group changes

Shouma
Hello all! :)
 
I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to my AD), so I can check for AD groups and therefore block websites and so on. Thanks to the very good documentation everything looks good so far!
But there is one realy big problem: Squid does not recognize AD group membership changes.
What does that mean?
 
Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join TestUser1 to Testgroup1 everything is working(the first time ever, this specific user is getting member of one of these two groups). SSO works and the forbidden websites get blocked. So far so good ;)
But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, shit is about to hit the fan!
After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, that TestUser1 is not member of TestGroup1 anymore, but now is a member of Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would still be in TestGroup1.
But if I now add a completly new user TestUser2 to the AD and then to Testgroup2, squid will treat this user corretly. If I then remove TestUser2 from Testgroup2 and add this user to TestGroup1, same shit again: winbind recognizes the change, but squid still treats TestUser2 like he would be member of TestGroup2.
 
What I tried:
-remove cache (net cache flush, "cache deny all", "no_cache deny all")
-remove squid with "purge" and reinstall it, still same problem
 
Can anyone help???
 
remember: Everything works with a new user, so I dont think kerberos is the problem. And winbind recognizes the change, so I think winbind is well configured too. Maybe squid is caching something(only explanation for me) but I don't see any caching.. Maybe someone had the same issue. Would be awesome, if someone could help me!
 
Regards
Philipp

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Klaus Brandl
some similar problem here...

What type of acl do you use for the group selection? Could you please
post the related config lines?

Remember, the client caches also the group informations, i have to
logout/login to let this take effect.
(check with "whoami /groups")

Regards

Klaus

Am Mittwoch, den 20.01.2021, 14:50 +0100 schrieb
[hidden email]:

> Hello all! :)
>  
> I am running squid 4.1 on the newest Linux Mint with Kerberos
> SSO(connected to my AD), so I can check for AD groups and therefore
> block websites and so on. Thanks to the very good documentation
> everything looks good so far!
> But there is one realy big problem: Squid does not recognize AD group
> membership changes.
> What does that mean?
>  
> Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I
> join TestUser1 to Testgroup1 everything is working(the first time
> ever, this specific user is getting member of one of these two
> groups). SSO works and the forbidden websites get blocked. So far so
> good ;)
> But if I remove TestUser1 from TestGroup1 and make him a member of
> Testgroup2, shit is about to hit the fan!
> After some seconds(winbind cache time = 30 in smb.conf) winbind
> recognizes, that TestUser1 is not member of TestGroup1 anymore, but
> now is a member of Testgroup2. But Squid doesn't!! Squid further
> treats TestUser1 as he would still be in TestGroup1.
> But if I now add a completly new user TestUser2 to the AD and then to
> Testgroup2, squid will treat this user corretly. If I then remove
> TestUser2 from Testgroup2 and add this user to TestGroup1, same shit
> again: winbind recognizes the change, but squid still treats
> TestUser2 like he would be member of TestGroup2.
>  
> What I tried:
> -remove cache (net cache flush, "cache deny all", "no_cache deny
> all")
> -remove squid with "purge" and reinstall it, still same problem
>  
> Can anyone help???
>  
> remember: Everything works with a new user, so I dont think kerberos
> is the problem. And winbind recognizes the change, so I think winbind
> is well configured too. Maybe squid is caching something(only
> explanation for me) but I don't see any caching.. Maybe someone had
> the same issue. Would be awesome, if someone could help me!
>  
> Regards
> Philipp
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Eliezer Croitoru-3
In reply to this post by Shouma

I am not sure but, I am pretty sure that the group membership is better handled in the LDAP level.

The Kerberos side is for handling the password between the client and the server.

A LDAP search/lookup for a user group membership seems more reasonable to me.

 

I have not implemented this with AD but when I have implemented it with LDAP it worked as expected.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of [hidden email]
Sent: Wednesday, January 20, 2021 3:51 PM
To: [hidden email]
Subject: [squid-users] Squid doesn't notice AD group changes

 

Hello all! :)

 

I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to my AD), so I can check for AD groups and therefore block websites and so on. Thanks to the very good documentation everything looks good so far!

But there is one realy big problem: Squid does not recognize AD group membership changes.

What does that mean?

 

Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join TestUser1 to Testgroup1 everything is working(the first time ever, this specific user is getting member of one of these two groups). SSO works and the forbidden websites get blocked. So far so good ;)

But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, shit is about to hit the fan!

After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, that TestUser1 is not member of TestGroup1 anymore, but now is a member of Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would still be in TestGroup1.

But if I now add a completly new user TestUser2 to the AD and then to Testgroup2, squid will treat this user corretly. If I then remove TestUser2 from Testgroup2 and add this user to TestGroup1, same shit again: winbind recognizes the change, but squid still treats TestUser2 like he would be member of TestGroup2.

 

What I tried:

-remove cache (net cache flush, "cache deny all", "no_cache deny all")

-remove squid with "purge" and reinstall it, still same problem

 

Can anyone help???

 

remember: Everything works with a new user, so I dont think kerberos is the problem. And winbind recognizes the change, so I think winbind is well configured too. Maybe squid is caching something(only explanation for me) but I don't see any caching.. Maybe someone had the same issue. Would be awesome, if someone could help me!

 

Regards

Philipp


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Eliezer Croitoru-3
In reply to this post by Shouma

Have You tried to use external_acl_type for group membership checks?

 

Something like this should do the trick:

external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=ng,dc=tech" -D [hidden email] -W /etc/squid/ldappass.txt  -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=ng,DC=tech))" -h ngtech-dc.ng.tech

 


Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of [hidden email]
Sent: Wednesday, January 20, 2021 3:51 PM
To: [hidden email]
Subject: [squid-users] Squid doesn't notice AD group changes

 

Hello all! :)

 

I am running squid 4.1 on the newest Linux Mint with Kerberos SSO(connected to my AD), so I can check for AD groups and therefore block websites and so on. Thanks to the very good documentation everything looks good so far!

But there is one realy big problem: Squid does not recognize AD group membership changes.

What does that mean?

 

Imagine I have TestUser1 and TestGroup1 and Testgroup2 in my AD. If I join TestUser1 to Testgroup1 everything is working(the first time ever, this specific user is getting member of one of these two groups). SSO works and the forbidden websites get blocked. So far so good ;)

But if I remove TestUser1 from TestGroup1 and make him a member of Testgroup2, shit is about to hit the fan!

After some seconds(winbind cache time = 30 in smb.conf) winbind recognizes, that TestUser1 is not member of TestGroup1 anymore, but now is a member of Testgroup2. But Squid doesn't!! Squid further treats TestUser1 as he would still be in TestGroup1.

But if I now add a completly new user TestUser2 to the AD and then to Testgroup2, squid will treat this user corretly. If I then remove TestUser2 from Testgroup2 and add this user to TestGroup1, same shit again: winbind recognizes the change, but squid still treats TestUser2 like he would be member of TestGroup2.

 

What I tried:

-remove cache (net cache flush, "cache deny all", "no_cache deny all")

-remove squid with "purge" and reinstall it, still same problem

 

Can anyone help???

 

remember: Everything works with a new user, so I dont think kerberos is the problem. And winbind recognizes the change, so I think winbind is well configured too. Maybe squid is caching something(only explanation for me) but I don't see any caching.. Maybe someone had the same issue. Would be awesome, if someone could help me!

 

Regards

Philipp


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Amos Jeffries
Administrator
In reply to this post by Shouma
The issue is many layers of caching and interdependent data.

Once the auth backend system is producing the right output the group helper cache needs to expire, then lookups by that helper will be correct.

Then all the tcp connections holding onto that users credentials need to close. Only once all that happens will there be no user+group1 link to confuse.

If any of the old tcp connections remain open they cache the old credentials which were linked to the old group1. New tcp connections will be linked to their cached username state.

In modern squid the kerberos auth helper gives squid the list of groups at the same time as username. So there is no external ACL helper and its caching to get things mixed up. You should use the note ACL type to check those group SSIDs.
At worst you may still have to wait for tcp connections closure part.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Shouma
In reply to this post by Shouma
Thanks for your replies!

Yes, I did try "external_acl_type wbinfocheck %LOGIN /usr/lib/squid/ext_wbinfo_group_acl -K".

So if my fqdn would be "my.domain.com" it would be:

external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com" -D 192.168.1.250@domain.com -W /etc/squid/ldappass.txt -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h my.domain.com

for 192.168.1.250 being the IP from my Squid Proxy Server, right?

So I could ask for specific groups like this:
acl Group1 ad_group_member_check TestGroup1
acl Group2 ad_group_member_check TestGroup2
and so on.. Am I right?

Thank you so far for your help!

Regads,
Philipp

--
Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail gesendet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Marek Greško
Hello,

that looks correct. Maybe I would add -B option to the
ext_ldap_group_acl helper to specify basedn for users.

Marek


2021-01-24 10:06 GMT+01:00, [hidden email] <[hidden email]>:

> Thanks for your replies!
>
> Yes, I did try "external_acl_type wbinfocheck %LOGIN
> /usr/lib/squid/ext_wbinfo_group_acl -K".
>
> So if my fqdn would be "my.domain.com" it would be:
>
> external_acl_type ad_group_member_check ttl=120 %LOGIN
> /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com"
> -D [hidden email] -W /etc/squid/ldappass.txt -f
> "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h
> my.domain.com
>
> for 192.168.1.250 being the IP from my Squid Proxy Server, right?
>
> So I could ask for specific groups like this:
> acl Group1 ad_group_member_check TestGroup1
> acl Group2 ad_group_member_check TestGroup2
> and so on.. Am I right?
>
> Thank you so far for your help!
>
> Regads,
> Philipp
>
> --
> Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail
> gesendet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Shouma
So I finally tried it on my Squid Proxy.
 
I edited the squid like this:
 
external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com" -D [hidden email] -W /etc/squid/ldappass.txt -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h my.domain.com
 
ProxyUser is a AD-User I created and the file "ldappass.txt" contains the password for this user.
Now I did try to ask for specific groups with the help of this:
 
acl LDAPLookup1  external ad_group_member_check Test1
 
Test1 is a group in the AD and part of the OU "Groups".
But now I have the problem, that in the squid cache.log is written:
ext_ldap_group_acl: WARNING: LDAP search error 'Referral'
 
So it seems like LDAP can not check the groups but I have no clue why.. Can someone help?
 
 
Regards,
Philipp
 
 
 
Gesendet: Sonntag, 24. Januar 2021 um 17:02 Uhr
Von: "Marek Greško" <[hidden email]>
An: [hidden email]
Cc: [hidden email]
Betreff: Re: [squid-users] Squid doesn't notice AD group changes
Hello,

that looks correct. Maybe I would add -B option to the
ext_ldap_group_acl helper to specify basedn for users.

Marek


2021-01-24 10:06 GMT+01:00, [hidden email] <[hidden email]>:
> Thanks for your replies!
>
> Yes, I did try "external_acl_type wbinfocheck %LOGIN
> /usr/lib/squid/ext_wbinfo_group_acl -K".
>
> So if my fqdn would be "my.domain.com" it would be:
>
> external_acl_type ad_group_member_check ttl=120 %LOGIN
> /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com"
> -D [hidden email] -W /etc/squid/ldappass.txt -f
> "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h
> my.domain.com
>
> for 192.168.1.250 being the IP from my Squid Proxy Server, right?
>
> So I could ask for specific groups like this:
> acl Group1 ad_group_member_check TestGroup1
> acl Group2 ad_group_member_check TestGroup2
> and so on.. Am I right?
>
> Thank you so far for your help!
>
> Regads,
> Philipp
>
> --
> Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail
> gesendet.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Amos Jeffries
Administrator
On 22/02/21 9:26 pm, heimarbeit123.99 wrote:
> So I finally tried it on my Squid Proxy.
> I edited the squid like this:
> external_acl_type ad_group_member_check ttl=120 %LOGIN
> /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com" -D
> [hidden email] -W /etc/squid/ldappass.txt -f
> "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h
> my.domain.com



> But now I have the problem, that in the squid cache.log is written:
> ext_ldap_group_acl: WARNING: LDAP search error 'Referral'
> So it seems like LDAP can not check the groups but I have no clue why..
> Can someone help?

Please read the documentation for that helper. Specifically pay
attention to what all those command line options do.
  <http://www.squid-cache.org/Versions/v4/manuals/ext_ldap_group_acl.html>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Shouma
of course I did read the documentation. Otherwise I would not have asked here. I would not ask for your time if the solution would be available for myself.
I am asking right here -after some weeks- because I do not know what is finally wrong.
I can't even figure out what the error means. Even google does not help me here so I am asking this community..
 
 
Gesendet: Montag, 22. Februar 2021 um 10:24 Uhr
Von: "Amos Jeffries" <[hidden email]>
An: [hidden email]
Betreff: Re: [squid-users] Squid doesn't notice AD group changes
On 22/02/21 9:26 pm, heimarbeit123.99 wrote:
> So I finally tried it on my Squid Proxy.
> I edited the squid like this:
> external_acl_type ad_group_member_check ttl=120 %LOGIN
> /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com" -D
> [hidden email] -W /etc/squid/ldappass.txt -f
> "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h
> my.domain.com



> But now I have the problem, that in the squid cache.log is written:
> ext_ldap_group_acl: WARNING: LDAP search error 'Referral'
> So it seems like LDAP can not check the groups but I have no clue why..
> Can someone help?

Please read the documentation for that helper. Specifically pay
attention to what all those command line options do.
<http://www.squid-cache.org/Versions/v4/manuals/ext_ldap_group_acl.html>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Amos Jeffries
Administrator
On 22/02/21 10:42 pm, heimarbeit123.99 wrote:
> of course I did read the documentation. Otherwise I would not have asked
> here. I would not ask for your time if the solution would be available
> for myself.
> I am asking right here -after some weeks- because I do not know what is
> finally wrong.

You used the -R option to forbid "Referral" when your LDAP system
contains referrals. That is the direct cause of the *WARNING*, and
possibly why the lookup fails if the user/group details are contained in
that alternate LDAP database.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Shouma
You were right! I realy don't know how I was able to miss this..
I removed "-R" and don't get the error anymore. I did read the documentation again and -K and -S should be fine. -d of course too.
 
But now I get the error "WARNING: LDAP search error 'Operations error'". I found out that many people got that because they wrote "DN" instead of "DC", but in my squid conf I wrote "DC". 
Maybe some syntax error?
I don't see what I am missing here,because connection is OK in cache.log.
 

Regards,
Philipp
Gesendet: Montag, 22. Februar 2021 um 11:05 Uhr
Von: "Amos Jeffries" <[hidden email]>
An: "squid list" <[hidden email]>
Betreff: Re: [squid-users] Squid doesn't notice AD group changes
On 22/02/21 10:42 pm, heimarbeit123.99 wrote:
> of course I did read the documentation. Otherwise I would not have asked
> here. I would not ask for your time if the solution would be available
> for myself.
> I am asking right here -after some weeks- because I do not know what is
> finally wrong.

You used the -R option to forbid "Referral" when your LDAP system
contains referrals. That is the direct cause of the *WARNING*, and
possibly why the lookup fails if the user/group details are contained in
that alternate LDAP database.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Amos Jeffries
Administrator
On 22/02/21 11:41 pm, heimarbeit123.99 wrote:
> You were right! I realy don't know how I was able to miss this..
> I removed "-R" and don't get the error anymore. I did read the
> documentation again and -K and -S should be fine. -d of course too.
> But now I get the error "WARNING: LDAP search error 'Operations error'".
> I found out that many people got that because they wrote "DN" instead of
> "DC", but in my squid conf I wrote "DC".
> Maybe some syntax error?

I'm not seeing any syntax issues. Though I do not use LDAP myself and
not very familiar with its syntax requirements.


> I don't see what I am missing here,because connection is OK in cache.log.
>

As far as I understand there is no issues with the connection to LDAP
service. There are issues with the things it is being required to do.

Since you have used -d to enable debug, there should be some lines added
to cache.log by the helper about what it is doing and the results of
each action. If none of those lines give you a hint, please try pasting
them in a mail here and someone else might be able to spot something.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't notice AD group changes

Shouma
sadly I can not copy my log here, because the mail get rejected again and again because of this.
 
But here are the two errors, which I can see inside the cache.log.
 
Connected OK
group filter '(&(sAMAccountName=ldaptest)(memberOf=CN=Test1,OU=Groups,DC=my.domain,DC=com))', searchbase 'dc=my.domain,dc=com'
Got user=[LDAPTest] domain=[DOMAIN] workstation=[WORKSTATION] len1=24 len2=238
WARNING: LDAP search error 'Operations error'
ERROR: helper: {result=BH, notes={message: LDAP search error; message: LDAP search error; }}, attempt #2 of 2
 
Regards,
Philipp
 
 
Gesendet: Montag, 22. Februar 2021 um 12:22 Uhr
Von: "Amos Jeffries" <[hidden email]>
An: "squid list" <[hidden email]>
Betreff: Re: [squid-users] Squid doesn't notice AD group changes
On 22/02/21 11:41 pm, heimarbeit123.99 wrote:
> You were right! I realy don't know how I was able to miss this..
> I removed "-R" and don't get the error anymore. I did read the
> documentation again and -K and -S should be fine. -d of course too.
> But now I get the error "WARNING: LDAP search error 'Operations error'".
> I found out that many people got that because they wrote "DN" instead of
> "DC", but in my squid conf I wrote "DC".
> Maybe some syntax error?

I'm not seeing any syntax issues. Though I do not use LDAP myself and
not very familiar with its syntax requirements.


> I don't see what I am missing here,because connection is OK in cache.log.
>

As far as I understand there is no issues with the connection to LDAP
service. There are issues with the things it is being required to do.

Since you have used -d to enable debug, there should be some lines added
to cache.log by the helper about what it is doing and the results of
each action. If none of those lines give you a hint, please try pasting
them in a mail here and someone else might be able to spot something.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users