Re: [squid-users] Re: Again with winbindd_privileged, sometimes "Ensure permissions on /var/db/samba/winbindd_privileged are set correctly"

Going in depth I found in man winbindd following:

       $LOCKDIR/winbindd_privileged/pipe
           The UNIX pipe over which 'privileged' clients communicate with the
           winbindd program. For security reasons, access to some winbindd
           functions - like those needed by the ntlm_auth utility - is
           restricted. By default, only users in the 'root' group will get
           this access, however the administrator may change the group
           permissions on $LOCKDIR/winbindd_privileged to allow programs like
           'squid' to use ntlm_auth. Note that the winbind client will only
           attempt to connect to the winbindd daemon if both the
           $LOCKDIR/winbindd_privileged directory and
           $LOCKDIR/winbindd_privileged/pipe file are owned by root.

And that's true. I need to change group to squid to
winbindd_privileged AND winbindd_privileged/pipe.
Trying to figure out on to how to ask winbind to make it's pipe with
another group like winbind_priv... winbind makes it root:wheel by
default.

2010/9/3 Diego Woitasen <diegows_at_xtech.com.ar>:
> On Fri, Sep 3, 2010 at 8:54 AM, c0re <nr1c0re_at_gmail.com> wrote:
>> I found strange solution:
>> stop squid&windbind
>> rm -rf /var/db/samba/winbindd_privileged
>> start winbind
>> chown :squid /var/db/samba/winbindd_privileged
>>
>> And problem disappeared.
>>
>> 2010/9/1 c0re <nr1c0re_at_gmail.com>:
>>> Hello squid users!
>>>
>>> I've got squid+winbind ntlm auth.
>>> But sometimes I see this in log /var/log/samba/log.winbindd
>>>
>>> [2010/09/01 12:39:11,  2] winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754)
>>>   winbindd_pam_auth_crap: non-privileged access denied.  !
>>>   winbindd_pam_auth_crap: Ensure permissions on
>>> /var/db/samba/winbindd_privileged are set correctly.
>>>
>>> About 1k users.
>>> Sometimes some user can see proxy auth window asking for credentials in IE6.
>>> User can just press ESC and do not enter any credentials, all goes OK.
>>> That window means that some ntlm auth problem occurs.
>>> In log I see only those message above about winbindd_privileged.
>>>
>>> freebsd 7.3
>>> squid 3.1.7
>>> samba-3.3.10
>>>
>>> In squid.conf
>>> no cache_effective_group option configured
>>> auth_param ntlm program /usr/local/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 150
>>>
>>> Using cachemgr.cgi and looking at "NTLM User Authenticator Stats" I
>>> see only 32 redirectors has changed "# Request" counters, that means
>>> that not all 150 redirectors used so it's not redirector problem.
>>>
>>> # ls -l /var/db/samba/ | grep winbindd_privileged
>>> drwxrwx---  2 root  squid     512 Aug 22 13:58 winbindd_privileged
>>>
>>> # ls -l /var/db/samba/winbindd_privileged/
>>> srwxrwxrwx  1 root  squid  0 Aug 22 13:58 pipe
>>>
>>> What can be wrong? If there were incorrect permissions no one can auth
>>> via ntlm, but all users can authorize and walk in internet. I can't
>>> find why sometime those auth window appears and why those message
>>> about "permissions" appears in log.
>>>
>>> Thanks in advance!
>>>
>>
>
> That's not the correct solution. The squid user should be member of
> the group winbindd_priv and you have to remove the
> cache_effective_group from squid.conf.
>
> Regards,
>  Diego
>
>
>
> --
> Diego Woitasen
> XTECH
>
Received on Wed Sep 29 2010 - 11:19:25 MDT