Re: [squid-users] squid + winbind weird behavior from Paulo Pires on 2005-02-16 (squid-users)

From: Paulo Pires <paulo.pires@dont-contact.us>
Date: Wed, 16 Feb 2005 18:51:03 +0000

Well

chown nobody /usr/local/samba-3.0.10/var/locks/winbindd_privileged

This solved the thing. We can't change the perms cause it's a socket, so
it's better to change the owner to the user which runs squid.

Cya

Qua, 2005-02-16 às 16:00 +0000, Paulo Pires escreveu:
> Hi list
>
> For the last year I've installed several squid proxies, which
> authenticate themselves against NT Domains. Each domain is primarly
> controlled by a Samba PDC (at the moment, Samba-3.0.10) and I have no
> problems at all. Since Monday, I've tried unsuccessfully to get a
> squid-2.5-stable8 to run with samba-3.0.11 against a Windows 2003 PDC.
>
> Here's the steps:
>
> * compile and install samba with winbind and pam support
> * configure smb.conf
> + workgroup
> + password server
> + security=domain
> + winbind settings
> * cp nsswitch/libnss_winbind.so /lib && ln
> -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> * start samba
> * net rpc join -S PDC_NAME -w DOMAIN -U user_with_perms
> * restart samba
> * change /etc/nsswitch.conf
> * samba tests
> + wbinfo -u /-g /-t
>
> * compile and install squid
> + --prefix=/usr/local/squid-x.xx-yyy --enable-carp --enable-delay-pools
> --enable-kill-parent-hack --enable-ssl --enable-auth="ntlm,basic"
> --enable-external-acl-helpers="wbinfo_group"
>
> * squid + winbind tests
> + ntlm_auth --helper-protocol=squid-2.5-basic -> user password OK
>
> Everything is ok, it should be working. I then restart samba, and start
> squid, and when configuring a client browser (IE, Firefox,...) it
> returns the following:
>
> [2005/02/16 15:46:06, 2]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(429)
> winbindd_pam_auth_crap: non-privileged access denied. !
> winbindd_pam_auth_crap: Ensure permissions
> on /usr/local/samba-3.0.10/var/locks/winbindd_privileged are set
> correctly.
> [2005/02/16 15:46:06, 2]
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(642)
> NTLM CRAP authentication for user [(null)]\[(null)] returned
> NT_STATUS_ACCESS_DENIED (PAM: 4)
>
>
> Squid is running as nobody.nogroup, but I've got this conf on other
> proxies and never had any problem. I've been to #squid and #samba @
> freenode.net but no one ever gave me a good tip about this, so I'm
> really cracking my head up.
>
>
> Thanks in advance,
> Paulo Pires
>
Received on Wed Feb 16 2005 - 11:50:08 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST