>>>>>> Hello all,
>>>>>>
>>>>>> I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4
>>>>>> running on Solaris 8 with Samba 3.0.32. My clients are essentially
>>>>>> running Windows XP SP2 with IE6.
>>>>>>
>>>>>> authentication scheme is exclusively based on ntlm so this is the
>>>> reason
>>>>>> why winbindd is also running, smbd and nmbd are not running
> because I
>>>>>> think this is not needed.
>>>>>>
>>>>>> this is all working fine but I randomly get thousands of lines
>>>> appearing
>>>>>> in cache.log file .. see below what I get.
>>>>>>
>>>>>> [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515)
>>>>>> Login for user [DOMAIN]\[user]@[desktop] failed due to [winbind
>>>> client
>>>>>> not authorized to use winbindd_pam_auth_crap. Ensure permissions
> on
>>>>>> /var/l
>>>>>> ib/samba/winbindd_privileged are set correctly.]
>>>>>>
>>>>>> process squid is running as user squid and group squidg so afaik
>>>>>> permissions below are correct ..
>>>>>>
>>>>>> 342924 1 drwxr-x--- 5 root squidg 512 Dec 4 03:36
>>>>>> /var/lib/samba
>>>>>> 354946 1 drwxr-x--- 4 root squidg 512 Nov 18 01:34
>>>>>> /var/lib/samba/locks
>>>>>> 360979 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34
>>>>>> /var/lib/samba/locks/printing
>>>>>> 366989 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34
>>>>>> /var/lib/samba/locks/winbindd_privileged
>>>>>> 342930 8 -rw-r----- 1 root squidg 8192 Dec 4 03:37
>>>>>> /var/lib/samba/gencache.tdb
>>>>>> 342932 1 -rw-r----- 1 root squidg 696 Nov 18 01:34
>>>>>> /var/lib/samba/idmap_cache.tdb
>>>>>> 342933 1 -rw-r----- 1 root squidg 696 Dec 3 17:35
>>>>>> /var/lib/samba/messages.tdb
>>>>>> 342935 56 -rw------- 1 root root 57344 Dec 3 17:36
>>>>>> /var/lib/samba/winbindd_cache.tdb
>>>>>> 342936 29752 -rw-r----- 1 root squidg 30441472 Dec 4
> 09:58
>>>>>> /var/lib/samba/netsamlogon_cache.tdb
>>>>>> 138380 1 drwxr-x--- 2 root squidg 512 Dec 3 17:35
>>>>>> /var/lib/samba/winbindd_privileged
>>>>>> 138381 0 srwxrwxrwx 1 root root 0 Dec 3 17:35
>>>>>> /var/lib/samba/winbindd_privileged/pipe
>>>>>> 222599 1 drwxr-x--- 2 root squidg 512 Dec 4 03:36
>>>>>> /var/lib/samba/smb_krb5
>>>>>> 342937 1 -rw-r--r-- 1 root root 268 Dec 4 03:36
>>>>>> /var/lib/samba/smb_krb5/krb5.conf.EUROPE
>>>>>>
>>>>>> I did not find any explanation right now except applying same
>>>> security
>>>>>> settings on directories again and reloading process squid.
>>>>>>
>>>>>> We are already running squid more than 3 years and never got the
>>>> problem
>>>>>> before ..
>>>>>>
>>>>>> Can somebody really help me because each time we encounter this
> issue
>>>>>> hundreds of my users are impacted.
>>>>>>
>>>>>> many thanks for your help.
>>>>> Please first ensure that you DO NOT have cache_effective_group
>>>>> configured in your squid.conf.
>>>>> All squid group settings under this setup need to be OS-defined
>>>>> correctly and working properly that way.
>>>>
>>>> yes sure I get 'cache_effective_user squid' & 'cache_effective_group
>>>> squidg' configured in squid config file ... this was alaways so ..
>>>>
>>>> is there a specific issue with it ??
>>>
>>>The squid.conf configured group forces override of any OS settings
> from
>>>squid point of view. Particularly to the effect of erasing membership
> of
>>>secondary groups and group aliases. Winbind only obeys and verifies
>>>against the OS settings, so there is a high likelyhood that your issue
>>>is a mismatch between the privileges seen by squid with group
> configured
>>>and the system settings.
>>>
>>>effective_group may have been needed in 2.5 and earlier and before we
>>>sorted out the winbind privileges system. But has really been obsolete
>>>since group membership was fixed in Squid-2.6.
>>>
>>
>>Amos,
>>
>>many thks for your help .. I made the change yesterday morning and
> seems to be okay till now.
>>
>>I keep you informed later if this stays as is.
>
> I am back, sorry but the problem is happening again .... do you get some
> other ideas because this is becoming a real big issue here .. thks.
>
Sorry I haven't had much to do with winbind than we have already tried.
you are the first I've seen where these fixes have not worked.
Can you get a full "ls -la" trace of the directory content and permissions
at a time where it's working, and one where its not? Also a list of the
squid user name and the groups names it belongs to.
This will be needed by anyone who may be more able to help.
Amos
Received on Mon Dec 08 2008 - 21:52:42 MST
This archive was generated by hypermail 2.2.0 : Mon Dec 15 2008 - 12:00:01 MST