Hi, My squid ACL can't catch AD user's group of membership.That's why can't send the request correct outgoing interface Users member of group_g_internet_socialmediausers and its correct interface IP address is 10.65.12.247. 10.65.12.250 is general outgoing address
### NTLM > auth_param ntlm program /usr/bin/ntlm_auth --diagnostic > --helper-protocol=squid-2.5-ntlmssp --domain=COMPANY > auth_param ntlm children 100 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > auth_param ntlm keep_alive off group_g_internet_socialmediausers.acl: > CN=G_Internet_SocialMedisUsers,OU=Internet Groups,DC=company,DC=grp and Configuration file: > acl group_g_internet_socialmediausers external nt_group > "/etc/squid/group_g_internet_socialmediausers.acl" > http_access allow group_g_internet_socialmediausers > tcp_outgoing_address 10.65.12.250 and outgoing part: tcp_outgoing_address 10.65.12.247 group_g_internet_socialmediausers cache.log shows: > (truncated) > 2019/09/23 15:31:45.811 kid1| 28,5| Checklist.cc(400) bannedAction: Action > 'ALLOWED/0is not banned > 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking > http_access#10 > 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking > group_g_internet_socialmediausers > 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked: > group_g_internet_socialmediausers = 0 > 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked: > http_access#10 = 0 > (truncated) > 2019/09/23 15:31:45.811 kid1| 28,3| Checklist.cc(70) preCheck: > 0x7fff26947320 checking fast ACLs > 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking > tcp_outgoing_address 10.65.12.247 > 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking > (tcp_outgoing_address 10.65.12.247 line) > 2019/09/23 15:31:45.811 kid1| 28,5| Acl.cc(138) matches: checking > group_g_internet_socialmediausers > 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked: > group_g_internet_socialmediausers = 0 > 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked: > (tcp_outgoing_address 10.65.12.247 line) = 0 > 2019/09/23 15:31:45.811 kid1| 28,3| Acl.cc(158) matches: checked: > tcp_outgoing_address 10.65.12.247 = 0 > 2019/09/23 15:31:46.094 kid1| 28,3| Checklist.cc(63) markFinished: > 0x7fff26946d40 answer AUTH_REQUIRED for aclMatchExternal exception > 2019/09/23 15:31:46.094 kid1| 28,3| Acl.cc(158) matches: checked: > group_g_internet_socialmediausers = -1 > 2019/09/23 15:31:46.094 kid1| 28,3| Acl.cc(158) matches: checked: > (tcp_outgoing_address 10.65.12.247 line) = -1 > 2019/09/23 15:31:46.094 kid1| 28,3| Acl.cc(158) matches: checked: > tcp_outgoing_address 10.65.12.247 = -1 > 2019/09/23 15:31:46.094 kid1| 28,3| Checklist.cc(70) preCheck: > 0x7fff26946d40 checking fast ACLs > (truncated) > 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(70) preCheck: > 0x7fff26947320 checking fast ACLs > 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking > tcp_outgoing_address 10.65.12.247 > 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking > (tcp_outgoing_address 10.65.12.247 line) > 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking > group_g_internet_socialmediausers > 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked: > group_g_internet_socialmediausers = 0 > 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked: > (tcp_outgoing_address 10.65.12.247 line) = 0 > 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked: > tcp_outgoing_address 10.65.12.247 = 0 > 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(63) markFinished: > 0x7fff26947320 answer DENIED for ACLs failed to match > 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(70) preCheck: > 0x7fff26947320 checking fast ACLs > 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking > tcp_outgoing_address 10.65.12.250 > 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking > (tcp_outgoing_address 10.65.12.250 line) > 2019/09/23 15:31:52.069 kid1| 28,5| Acl.cc(138) matches: checking > 8_18_sinirsiz > 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked: > 8_18_sinirsiz = 1 > 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked: > (tcp_outgoing_address 10.65.12.250 line) = 1 > 2019/09/23 15:31:52.069 kid1| 28,3| Acl.cc(158) matches: checked: > tcp_outgoing_address 10.65.12.250 = 1 > 2019/09/23 15:31:52.069 kid1| 28,3| Checklist.cc(63) markFinished: > 0x7fff26947320 answer ALLOWED for match > 2019/09/23 15:31:52.069 kid1| 28,4| FilledChecklist.cc(66) > ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff26947320 > 2019/09/23 15:31:52.069 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: > ACLChecklist::~ACLChecklist: destroyed 0x7fff26947320 > 2019/09/23 15:31:52.069 kid1| 28,4| FilledChecklist.cc(66) > ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff269470c0 > 2019/09/23 15:31:52.069 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: > ACLChecklist::~ACLChecklist: destroyed 0x7fff269470c0 > 2019/09/23 15:31:52.069 kid1| 28,4| FilledChecklist.cc(66) > ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x56416a6dc118 > 2019/09/23 15:31:52.069 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: > ACLChecklist::~ACLChecklist: destroyed 0x56416a6dc118 > 2019/09/23 15:31:54.699 kid1| 28,3| Checklist.cc(70) preCheck: > 0x7fff269480a0 checking fast ACLs > 2019/09/23 15:31:54.700 kid1| 28,5| Acl.cc(138) matches: checking > cache_access_log /var/log/squid/access.log > 2019/09/23 15:31:54.700 kid1| 28,5| Acl.cc(138) matches: checking > (cache_access_log /var/log/squid/access.log line) > 2019/09/23 15:31:54.700 kid1| 28,3| Acl.cc(158) matches: checked: > (cache_access_log /var/log/squid/access.log line) = 1 > 2019/09/23 15:31:54.700 kid1| 28,3| Acl.cc(158) matches: checked: > cache_access_log /var/log/squid/access.log = 1 > 2019/09/23 15:31:54.700 kid1| 28,3| Checklist.cc(63) markFinished: > 0x7fff269480a0 answer ALLOWED for match > 2019/09/23 15:31:54.700 kid1| 28,4| FilledChecklist.cc(66) > ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff269480a0 > 2019/09/23 15:31:54.700 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: > ACLChecklist::~ACLChecklist: destroyed 0x7fff269480a0 > 2019/09/23 15:31:59.925 kid1| 28,8| Acl.cc(355) aclCacheMatchFlush: > aclCacheMatchFlush called for cache 0x56416a71d1a8 > 2019/09/23 15:33:11.925 kid1| 28,3| Checklist.cc(70) preCheck: > 0x7fff269480a0 checking fast ACLs > 2019/09/23 15:33:11.925 kid1| 28,5| Acl.cc(138) matches: checking > cache_access_log /var/log/squid/access.log > 2019/09/23 15:33:11.925 kid1| 28,5| Acl.cc(138) matches: checking > (cache_access_log /var/log/squid/access.log line) > 2019/09/23 15:33:11.925 kid1| 28,3| Acl.cc(158) matches: checked: > (cache_access_log /var/log/squid/access.log line) = 1 > 2019/09/23 15:33:11.925 kid1| 28,3| Acl.cc(158) matches: checked: > cache_access_log /var/log/squid/access.log = 1 > 2019/09/23 15:33:11.925 kid1| 28,3| Checklist.cc(63) markFinished: > 0x7fff269480a0 answer ALLOWED for match > 2019/09/23 15:33:11.925 kid1| 28,4| FilledChecklist.cc(66) > ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff269480a0 > 2019/09/23 15:33:11.925 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: > ACLChecklist::~ACLChecklist: destroyed 0x7fff269480a0 > 2019/09/23 15:33:11.925 kid1| 28,8| Acl.cc(355) aclCacheMatchFlush: > aclCacheMatchFlush called for cache 0x56416a6ec138 At the end user routes to 10.65.12.250 which is not allowed for this users. What is wrong? -- Tevfik Ceydeliler
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
