On Sun, 11 Jan 2004, Damian McGuckin wrote:
> On Fri, 28 Nov 2003, Mark Taylor wrote:
>
> > Check the group ownership on your winbind_priveleged directory. It
> > should be owned by the same group that squid runs as...
>
> I am curious if somebody has an authorative answer/explanation on this
> one.
The Samba ntlm_auth helper is using the winbind_privileged channel to
winbind. This is required for NTLM authentication due to security
restrictions in Samba.
> Maybe Mark's answer is authorative but the Samba documentation for the
> winbindd daemon mentions that the directory PERMISSIONS have to be changed
> for SQUID. Mind you, it does not mention to what you have to change these
> permissions. Ahhhh!
It can not give very detailed information as it depends on what user you
have configured Squid to run as.
How to set these permissions also varies with the access control
capabilities of your OS. For example if your OS has acl capabilities then
using these rather than assigning the group may be more suitable, but it
is basically up to you.
> Mark mentions that you need to instead change the group OWNERSHIP to the
> same as that which SQUID runs.
Yes?
> However, the authorisation helpers runs as nobody/nobody so I can't see
> how changing it to the same group as squid would work.
The helpers run as the same user and group as Squid is configured to run
as. The default is nobody/nobody, but many run them as other users. A
quite common setup is squid/squid.
If you start Squid as root then these are controlled by the
cache_effective_user/cache_effective_group.
If you start Squid as a non-root user then runs with the privileges of the
user it got started as.
I would strongly recommend creating a specific squid or winbind group for
the purpose of allowing Squid to talk to winbind_privileged. Using
"nobody" for this defeats the whole idea of having winbind_privileged
restricted access.
Regards
Henrik
Received on Sun Jan 11 2004 - 04:37:17 MST
This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:05 MST