> Da: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Murilo Moreira de Oliveira wrote:
> > Hello. Follow bellow the steps I've used to get NTLM
> authentication working.
> >
> > 1.# yum -y install authconfig krb5-workstation samba-common
> >
> > 2.[root_at_proxyweb ~]# authconfig --enableshadow --enablemd5
> > --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
> > --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
> > --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
> > --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
> > --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
> > --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
> > --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN
> --disablewins
> > --disablecache --enablelocauthorize --updateall
> >
> > 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
> > This is the user that proxy will use to validate users credentials.
> >
> > 4.# chown root:squid /var/cache/samba/winbindd_privileged
> >
>
> Noooooooo! Ouch.
>
> This is a giant permissions hack to evade the strict security
> leash of
> cache_effective_group.
>
> The correct way to do this is to add the Squid proxy user to
> the system
> group which wbinfo normally lets access
> /var/cache/samba/winbindd_privileged
>
> ... and ensure cache_effective_group is MISSING from squid.conf.
Hi all.
It seems I'm experiencing some similar problem. I have set up a new CentOS
5.5 install with samba3x-3.3.8-0.52.el5_5 (the new 3.3 package included in
RH/CentOS 5.5), squid-2.6.STABLE21-6.el5 .
/var/lib/samba/winbindd_privileged is owned by root:wbpriv .
Even if I add the squid user to the wbpriv group, I still find in the log:
[2010/06/20 14:42:01, 0] utils/ntlm_auth.c:winbind_pw_check(556)
Login for user [domain]\[lux]@[LUXNB] failed due to [winbind client not
authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/lib/samba/winbindd_privileged are set correctly.]
[2010/06/20 14:42:01, 0]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(831)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
If I do "chgrp squid /var/lib/samba/winbindd_privileged" then the problem
disappears. Even if I pose "cache_effective_group wbpriv" in squid.conf, the
problem is solved.
As it was suggested, I checked to have no cache_effective_group entry in
squid.conf. But note that if I do dome debugging, it seems that having no
cache_effective_group is equivalent to have "cache_effective_group squid":
# squid -D -N -X -d 9 2>&1 | grep cache_effective_group
2010/06/20 16:09:27| parse_line: cache_effective_group squid
It seems to me that squid drops any supplmental groups at runtime, so it can
not access a directory owned by wbpriv. In fact, if I strace the process, it
does this (23 is squid uid and gid; wbprif would be 88):
15343 setgroups32(1, [23]) = 0
15343 setgid32(23) = 0
15343 setresuid32(23, 23, 0) = 0
Do you have any suggestion to make my setup work, apart from the two
workarounds mentioned above?
Received on Sun Jun 20 2010 - 14:18:26 MDT
This archive was generated by hypermail 2.2.0 : Sun Jun 20 2010 - 12:00:03 MDT