I have found two problems in the wbinfo_group.pl. One is that the script
does not give the full path to wbinfo. The second is that if wbinfo
cannot be found or reports an error, the script still returns an OK back
to squid. This results in everyone getting access whether they are a
member of the group or not. I have modified it for our purposes as follows:

diff wbinfo_group.pl hm_wbinfo_group.pl
35c35
< $groupSID = `wbinfo -n "$group"`;
---
> $groupSID = `/usr/local/samba/bin/wbinfo -n "$group"`;

37c37
< $groupGID = `wbinfo -Y "$groupSID"`;
---
> $groupGID = `/usr/local/samba/bin/wbinfo -Y "$groupSID"`;

40c40,46
< return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
---
> $groupmem = `/usr/local/samba/bin/wbinfo -r $user`;
> if ($groupmem) {
> $groupchk = ($groupmem =~ /^$groupGID$/m);
> if ($groupchk) {
> return 'OK';
> }
> }



Luis Eduardo Cortes wrote:

>Look at SID line, at the end there is a strange text that I think its wrong,
>the text is " Domain Group (2)"
>
> What do you think about it ?
>
>Thanks.
>
>debian:/usr/local/squid/libexec# ./wbinfo_group.pl
>casdom01/luisc 'domain squid'
>Got casdom01/luisc 'domain squid' from squid
>User: -casdom01/luisc-
>Group: -domain squid-
>SID: -S-1-5-21-1932667861-1890919343-1237804090-2317 Domain Group (2)-
>GID: -10009-
>Sending OK to squid
>OK
>casdom01/luisc 'domain admins'
>Got casdom01/luisc 'domain admins' from squid
>User: -casdom01/luisc-
>Group: -domain admins-
>SID: -S-1-5-21-1932667861-1890919343-1237804090-512 Domain Group (2)-
>GID: -10001-
>Sending OK to squid
>OK
>
>
>
>
>
>
>>-- Mensaje original --
>>Date: Mon, 12 Apr 2004 22:36:50 +0200 (CEST)
>>From: Henrik Nordstrom
>>To: Luis Eduardo Cortes
>>Cc: squid-users@squid-cache.org
>>Subject: Re: [squid-users] Bug in wbinfo_group.pl any idea ?
>>
>>
>>On Mon, 12 Apr 2004, Luis Eduardo Cortes wrote:
>>
>>
>>
>>>Some reports talk about bugs in wbinfo_group.pl
>>>
>>>

>>I don't know of any bugs in the current version, but there is misfeatures.
>>
>>One of them is that wbinfo does not always like fully qualified login
>>names (with domain) so the helper may have a hard time to find the group
>>memberships if such login names is used.
>>
>>Regards
>>Henrik
>>
>>
>>

>
>
>
>
>
>
>