Well, it appears that this is a known issue on Debian variants. Disabling
the cache_effective_group setting seems to have fixed the issue. Got the
idea from this thread:
http://old.nabble.com/Bug-307257:-About-winbind-3-and-squid-with-ntlm-authe
ntication-(Debian-Bug--307257)-td10390962.html
Sorry for the clutter in the list, but maybe it helps someone else.
Thanks,
Chris Waters
On 2/28/12 5:35 PM, "Chris Waters" <cwaters_at_jeld-wen.com> wrote:
>Hello,
>
>I am in the process of building some test squid instances for possible
>deployment and have come across an issue where the user squid runs under
>seems not be allowed access to the winbind pipe when the user is in the
>proper group. Here are the details:
>
>Ubuntu 11.04
>Squid 3.1.11 (from the natty repo)
>Winbind 3.5.8 (from the natty repo)
>
>The server has pam configured and working for access with winbind though
>the behavior seems to be the same with pam_winbind disabled.
>
>Here's what I see:
>==> debug.log <==
>[2012/02/28 16:53:28.521059, 0] utils/ntlm_auth.c:600(winbind_pw_check)
> Login for user [DOMAIN]\[USER]@[HOST] failed due to [winbind client not
>authorized to use winbindd_pam_auth_crap. Ensure permissions on
>/var/run/samba/winbindd_privileged are set correctly.]
>[2012/02/28 16:53:28.521059, 0]
>utils/ntlm_auth.c:896(manage_squid_ntlmssp_request_int)
> NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>2012/02/28 16:53:28| authenticateNTLMHandleReply: Error validating user
>via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
>
>
>Squid runs as user proxy and is a member of the winbind_priv group:
>
>root_at_squid-1104:/var/log/squid3# ps -ef | grep squid3
>root 2991 1 0 16:39 ? 00:00:00 /usr/sbin/squid3 -YC -f
>/etc/squid3/squid.conf
>proxy 2993 2991 0 16:39 ? 00:00:00 (squid) -YC -f
>/etc/squid3/squid.conf
>
>
>winbindd_priv:x:112:proxy
>
>Privs on the directory:
>drwxr-x--- 2 root winbindd_priv 60 2012-02-28 16:38 winbindd_privileged
>
>Here's the auth_param statements:
>auth_param ntlm program /usr/bin/ntlm_auth
>--helper-protocol=squid-2.5-ntlmssp
>--require-membership-of="DOMAIN\\domain users"
>auth_param ntlm children 25
>
>
>I have an Ubuntu 11.10 server with a similar configuration with the
>exception that I am not using pam_winbind for authentication to the server
>and squid is doing ntlm authentication for users just fine. I pulled the
>squid configurations off the working Ubuntu server where I don't have this
>issue.
>
>Has anyone seen this before and does anyone know how to fix it? I will
>happily provide more detail as required.
>
>Thanks,
>
>Chris Waters
This archive was generated by hypermail 2.2.0 : Wed Feb 29 2012 - 12:00:06 MST