Problem solved...
After some troubleshooting, I found that the problem is in the wbinfo_group.pl script that was included in my squid package.
The squid is running on a rather old server:
root@mail:/usr/lib/squid# apt-cache policy squid
squid:
Installed: 2.5.12-4ubuntu2.4
Candidate: 2.5.12-4ubuntu2.4
Version table:
*** 2.5.12-4ubuntu2.4 0
500
http://be.archive.ubuntu.com dapper-updates/main Packages
500
http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
2.5.12-4ubuntu2 0
500
http://be.archive.ubuntu.com dapper/main Packages
In the wbinfo_group.pl, there is a variable that holds "OK" or "ERR" to return to the squid ntlm helper. (I'm using the samba ntlm helper, not the one that came with squid because the latter was not working)
This variable was never initialized and never reset either so the first time someone authenticates it gets set to "OK" and stays like that. First one to authenticate has no problem at all.
After a logoff and logon with another user, the user opens his browser and his userid is passed to the squid without his groups. the script however sends ok but ntlm does not authenticate.
This is my changed version of wbinfo_group.pl:
+++++++++++++++++++++++++++++++++++++++++++++++++++
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
# Fix for wbinfo from Samba 3.0.21
#
# 2005-06-28 Arno Streuli <astreuli@gmail.com>
# Add multi group check
#
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
# external_acl uses shell style lines in it's protocol
require 'shellwords.pl';
# Disable output buffering
$|=1;
sub debug {
# Uncomment this to enable debugging
print STDERR "@_\n";
}
#
# Check if a user belongs to a group
#
sub check {
&debug( "start van de check met $user en $group");
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y "$groupSID"`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}
#
# Main loop
#
while (<STDIN>) {
chop;
#
# I initialized the $ans here and set it standard to ERR
# I also added some info to &debug to troubleshoot this.
#
$ans = 'ERR';
&debug ("Got $_ from squid");
($user, @groups) = &shellwords;
# test for each group squid send in it's request
# toevoegen groep monitor
my $i = 0;
foreach $group (@groups) {
$i+=1;
&debug( "group $i : $group" );
$ans = &check($user, $group);
last if $ans eq "OK";
}
&debug ("Sending $ans to squid");
print "$ans\n";
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This probably has been fixed some time ago in a newer release. I will do a test install of squid on a newer testserver to check it out.
cheers!
