Re: [squid-users] Re: Again with winbindd_privileged, sometimes "Ensure permissions on /var/db/samba/winbindd_privileged are set correctly" from Diego Woitasen on 2010-09-03 (squid-users)

From: Diego Woitasen <diegows_at_xtech.com.ar>
Date: Fri, 3 Sep 2010 15:10:03 -0300

On Fri, Sep 3, 2010 at 8:54 AM, c0re <nr1c0re_at_gmail.com> wrote:
> I found strange solution:
> stop squid&windbind
> rm -rf /var/db/samba/winbindd_privileged
> start winbind
> chown :squid /var/db/samba/winbindd_privileged
>
> And problem disappeared.
>
> 2010/9/1 c0re <nr1c0re_at_gmail.com>:
>> Hello squid users!
>>
>> I've got squid+winbind ntlm auth.
>> But sometimes I see this in log /var/log/samba/log.winbindd
>>
>> [2010/09/01 12:39:11, 2] winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754)
>> winbindd_pam_auth_crap: non-privileged access denied. !
>> winbindd_pam_auth_crap: Ensure permissions on
>> /var/db/samba/winbindd_privileged are set correctly.
>>
>> About 1k users.
>> Sometimes some user can see proxy auth window asking for credentials in IE6.
>> User can just press ESC and do not enter any credentials, all goes OK.
>> That window means that some ntlm auth problem occurs.
>> In log I see only those message above about winbindd_privileged.
>>
>> freebsd 7.3
>> squid 3.1.7
>> samba-3.3.10
>>
>> In squid.conf
>> no cache_effective_group option configured
>> auth_param ntlm program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 150
>>
>> Using cachemgr.cgi and looking at "NTLM User Authenticator Stats" I
>> see only 32 redirectors has changed "# Request" counters, that means
>> that not all 150 redirectors used so it's not redirector problem.
>>
>> # ls -l /var/db/samba/ | grep winbindd_privileged
>> drwxrwx--- 2 root squid 512 Aug 22 13:58 winbindd_privileged
>>
>> # ls -l /var/db/samba/winbindd_privileged/
>> srwxrwxrwx 1 root squid 0 Aug 22 13:58 pipe
>>
>> What can be wrong? If there were incorrect permissions no one can auth
>> via ntlm, but all users can authorize and walk in internet. I can't
>> find why sometime those auth window appears and why those message
>> about "permissions" appears in log.
>>
>> Thanks in advance!
>>
>

That's not the correct solution. The squid user should be member of
the group winbindd_priv and you have to remove the
cache_effective_group from squid.conf.

Regards,
Diego

-- 
Diego Woitasen
XTECH

Received on Fri Sep 03 2010 - 18:10:12 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 29 2010 - 12:00:04 MDT