Filtergrouplists not assigning groups and causes e2g to stop

[Brandon Couvillion]

Running Squid 4.13 with sslbump and kerberos auth.  e2guardian is version 5.4.4 and is running as an icap server.  Kerberos auth is working and logging me in properly.  I have squid set up to only allow the AD group "internet" internet access.  Any other AD users get a squid access denied message.  In the e2g access.log I can see my username on all entries  when I'm browsing the web and it's correctly blocking .exe files and other inappropriate content.  

My username appears as us...@DOMAIN.LOCAL in the e2g access.log file.  

Everything works perfectly until I try to add an account in the filtergroupslist file.  e2g will not assign the user to a different group, it always uses filter group 1.  Right now I have 2 filter groups.  e2guardianf1.conf and e2guardianf2.conf exist as well as group1.story and group2.story.  In the /etc/e2guardian/lists folder there is a group1 and group2 folder with the lists in each of those directories.  

In /etc/e2guardian/lists/authplugins/filtergroupslist I tried adding my account a few different ways:

us...@DOMAIN.LOCAL (this is how it appears in e2g log)

us...@domain.local

user

In the filtergroupslist file after the username I tried =2 and =filter2

Any of those combinations causes e2guardian to crash after a minute or two and the filter group never changes, it always stays on filter group 1 according to the e2g log.  I am able to browse the web until e2g crashes.  I tried using debuglevel=ALL in e2g to get more info, but nothing is logged at the crash and and I don't see any error messages from before the crash.

If I remove the user from the filtergroupslist file (or comment it out) and start e2g again, then everything goes back to normal and e2g keeps running without crashing.

Am I missing something here?

  

[Philip Pearce]

Would you set storyboardtrace =  on in e2guardian.conf  and then post the trace (may be in system log or stdout/err). This may help to see where the problem is.

Thanks

Philip

---

--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/40494269-ad25-403a-b075-4e359cc9b31cn%40googlegroups.com.

[Brandon C]

One thing I noticed is if I put 2 different users in the filtergroupslist file, then e2g keeps running without crashing.  As soon as I go back to 1 user though it starts crashing again.

Attached is the output from storyboardtrace = on.  Thank you for looking into this, it's very much appreciated!

[Philip Pearce]

Hi, I have posted a fix to v5.4.    Can you test it to check if it fixes the issue?

Regards

Philip

---

To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/ea776901-12b6-4f55-a478-fa7bdd98287fn%40googlegroups.com.

[Brandon]

So far it has fixed the crashing issue with only one user in the filtergroupslist file.  It's been running about 2 hours now without a crash.  My user though is still not being placed in the f2 group though, but staying in group 1.

[Philip Pearce]

Can you try with storyboardtrace = on again and post the output?

Thanks

Philip

---

To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/b45085b6-5bbc-4a21-b14b-fc4d4e1c9ef4n%40googlegroups.com.

[Brandon]

Sure, I let it run for about 7 mins, but it's too big to post so I had to compress it.

[Philip Pearce]

Thanks, 

That helped to track it down!

Problem appears to be with the upper case domain part of the user name as maplists are converted to lower case when read in.

I've added a conversion to lower-case before searching the maplist which should solve this problem. See https://github.com/e2guardian/e2guardian/issues/685.

Would you check now OK with latest v5.4?

Thanks,

Philip

---

From: "Brandon" <hmm...@gmail.com>
To: "e2guardian" <e2gua...@googlegroups.com>
Sent: Thursday, 6 May, 2021 1:47:30 PM
Subject: Re: Filtergrouplists not assigning groups and causes e2g to stop

Sure, I let it run for about 7 mins, but it's too big to post so I had to compress it.

--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/d146cca0-4854-4fc3-ac80-1d10e647c6c9n%40googlegroups.com.

[Brandon]

Philip,

Installed the latest version and my user is now being placed in the proper filter group!  Thanks!

I am experiencing a weird issue though.  Users are placed in Filter Group 1 if I don't have them specifically listed in the filtergroupslist file.  That's expected behavior.  I also set 'defaultfiltergroup = 1' in the e2guardian.conf file.  If I then browse the internet on an account in Filter group 2 or 3, anyone who connects after that point will also be in filter group 2 or 3.  If I specify all my users in the filtergroupslist file as =1, they will stay in that group.  I have a few hundred users in active directory though and don't want to have to set =1 for each user.

Thank you so much for your help!

[Philip Pearce]

Brandon,

Yes you are right, the default filtergroup was not being set in ICAP mode.

Fix in latest v5.4

Note: defaultgroup for icap is set with defaulticapfiltergroup (default is 1).

Regards

Philip

---

To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/49f0bfdc-79a0-4f36-9754-fcd17e51ba11n%40googlegroups.com.

[Brandon]

All issues are solved now with the latest build!!  Thanks again for all your help, I really do appreciate it.