Forums

Resolved
2 votes
I've found an issue where dansguardian when checking against Active Directory groups would fail to assign the correct user-group mapping if the ntlm username did not come through as lowercase.

Rebuilding the dansguardian-av package after modifying the following section of the patch dansguardian-system-group.patch [attached] fixed this issue:

@@ -70,6 +74,61 @@ int AuthPlugin::determineGroup(std::stri
if (user.length() < 1 || user == "-") {
return DGAUTH_NOMATCH;
}
+
+ if (o.use_filter_system_groups == false) {
+ return this->determineFilterGroup(user, fg);
+ }
+
+ return this->determineSystemGroup(user, fg);
+}
+
+int AuthPlugin::determineSystemGroup(std::string &user, int &fg)
+{
+ struct group * grpinfo;
+
+ String u(user);
+ u.toLower(); // since the filtergroupslist is read in in lowercase, we should do this.
+ user = u.toCharArray(); // also pass back to ConnectionHandler, so appears lowercase in logs
+

+ /* Invalid user = default group. We rely on Squid to
+ * make sure user exists and is authenticated. */
+ if (getpwnam(user.c_str()) == NULL)
+ return DGAUTH_NOUSER;
Thursday, February 04 2016, 01:06 AM
Share this post:
Responses (9)
  • Accepted Answer

    Friday, May 03 2019, 06:13 PM - #Permalink
    Resolved
    0 votes
    Ok fantastic. It's a week trying to understand why some users are mapped correctly and some other no. Then today I noticed that working usernames are all lowercase.
    "Rebuilding the dansguardian-av package" it's a little bit beyond my competence. Any easier fix out there?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 04 2019, 05:11 PM - #Permalink
    Resolved
    0 votes
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 04 2019, 05:41 PM - #Permalink
    Resolved
    0 votes
    @Dave,
    I've just patched dansguardian to delete stale cache files. I could try adding this to the build.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 04 2019, 05:48 PM - #Permalink
    Resolved
    0 votes
    Thank you. In the meanwhile the only workaround that works for me is changing into Active Directory the "User logon name (pre-Windows 2000)" with the all lowercase username. It seems that this field is the one sent to the proxy with ntlmssp_auth
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 04 2019, 07:25 PM - #Permalink
    Resolved
    0 votes
    @Fabio,
    I've made a patched version of dansguardian-av for you to test. It is currently sync'ing to the mirrors. To install it do a:
    yum update dansguardian-av --enablerepo=clearos-updates-testing
    You need dansguardian-av-2.10.1.1-14.v7. If you get dansguardian-av-2.10.1.1-13.v7 then it only contains the cache cleardown patch and not yours. You may have to wait for up to a couple of hours for the mirrors to sync.

    Please can you give us feedback, whether it works or not?

    If it breaks anything, just do a:
    yum downgrade dansguardian-av
    and it should revert to your current version.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 04 2019, 09:35 PM - #Permalink
    Resolved
    0 votes
    @Nick
    it worked perfectly.
    Using a packet analyzer I see:

    [client IP] [Proxy IP] HTTP 891 CONNECT sapb1c.unidata.it:443 HTTP/1.1 , NTLMSSP_AUTH, User: [DOMAIN]]\FabioC
    (please note username has both Caps and Lowercase).
    [Proxy IP] [client IP] HTTP 93 HTTP/1.1 200 Connection established

    In dansguardian access.log i see:
    2019.5.4 23:13:05 fabioc [client IP] https://sapb1c.unidata.it:443 CONNECT 37087 0 2 200 - unrestricted -

    I will test more during next days, if I'll notice something strange I will give feedback.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 04 2019, 10:22 PM - #Permalink
    Resolved
    0 votes
    Nick,

    Thanks so much for doing this. I was going to do this but you beat me to it. I'll get back to my vacation now. ;)

    Thanks again. And thanks for testing this out for us Fabio.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 09 2019, 07:24 PM - #Permalink
    Resolved
    0 votes
    Nick, Dave,
    initially tested on 50 users, yesterday I extended to all users in our Windows domain.
    No issues at all. It simply works as expected.
    Thanks a lot.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 09 2019, 09:21 PM - #Permalink
    Resolved
    0 votes
    Thanks very much for your feedback. It went out to the Community for wider testing yesterday.
    The reply is currently minimized Show
Your Reply