vincent.blondel@xxxxxx wrote:
Hello all,
I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4
running on Solaris 8 with Samba 3.0.32. My clients are essentially
running Windows XP SP2 with IE6.
authentication scheme is exclusively based on ntlm so this is the
reason
why winbindd is also running, smbd and nmbd are not running because I
think this is not needed.
this is all working fine but I randomly get thousands of lines
appearing
in cache.log file .. see below what I get.
[2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515)
Login for user [DOMAIN]\[user]@[desktop] failed due to [winbind
client
not authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/l
ib/samba/winbindd_privileged are set correctly.]
process squid is running as user squid and group squidg so afaik
permissions below are correct ..
342924 1 drwxr-x--- 5 root squidg 512 Dec 4 03:36
/var/lib/samba
354946 1 drwxr-x--- 4 root squidg 512 Nov 18 01:34
/var/lib/samba/locks
360979 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34
/var/lib/samba/locks/printing
366989 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34
/var/lib/samba/locks/winbindd_privileged
342930 8 -rw-r----- 1 root squidg 8192 Dec 4 03:37
/var/lib/samba/gencache.tdb
342932 1 -rw-r----- 1 root squidg 696 Nov 18 01:34
/var/lib/samba/idmap_cache.tdb
342933 1 -rw-r----- 1 root squidg 696 Dec 3 17:35
/var/lib/samba/messages.tdb
342935 56 -rw------- 1 root root 57344 Dec 3 17:36
/var/lib/samba/winbindd_cache.tdb
342936 29752 -rw-r----- 1 root squidg 30441472 Dec 4 09:58
/var/lib/samba/netsamlogon_cache.tdb
138380 1 drwxr-x--- 2 root squidg 512 Dec 3 17:35
/var/lib/samba/winbindd_privileged
138381 0 srwxrwxrwx 1 root root 0 Dec 3 17:35
/var/lib/samba/winbindd_privileged/pipe
222599 1 drwxr-x--- 2 root squidg 512 Dec 4 03:36
/var/lib/samba/smb_krb5
342937 1 -rw-r--r-- 1 root root 268 Dec 4 03:36
/var/lib/samba/smb_krb5/krb5.conf.EUROPE
I did not find any explanation right now except applying same
security
settings on directories again and reloading process squid.
We are already running squid more than 3 years and never got the
problem
before ..
Can somebody really help me because each time we encounter this issue
hundreds of my users are impacted.
many thanks for your help.
Please first ensure that you DO NOT have cache_effective_group
configured in your squid.conf.
All squid group settings under this setup need to be OS-defined
correctly and working properly that way.
yes sure I get 'cache_effective_user squid' & 'cache_effective_group
squidg' configured in squid config file ... this was alaways so ..
is there a specific issue with it ??
The squid.conf configured group forces override of any OS settings from
squid point of view. Particularly to the effect of erasing membership of
secondary groups and group aliases. Winbind only obeys and verifies
against the OS settings, so there is a high likelyhood that your issue
is a mismatch between the privileges seen by squid with group configured
and the system settings.
effective_group may have been needed in 2.5 and earlier and before we
sorted out the winbind privileges system. But has really been obsolete
since group membership was fixed in Squid-2.6.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
