>>>>>> Hello all, >>>>>> >>>>>> I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 >>>>>> running on Solaris 8 with Samba 3.0.32. My clients are essentially >>>>>> running Windows XP SP2 with IE6. >>>>>> >>>>>> authentication scheme is exclusively based on ntlm so this is the >>>> reason >>>>>> why winbindd is also running, smbd and nmbd are not running > because I >>>>>> think this is not needed. >>>>>> >>>>>> this is all working fine but I randomly get thousands of lines >>>> appearing >>>>>> in cache.log file .. see below what I get. >>>>>> >>>>>> [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) >>>>>> Login for user [DOMAIN]\[user]@[desktop] failed due to [winbind >>>> client >>>>>> not authorized to use winbindd_pam_auth_crap. Ensure permissions > on >>>>>> /var/l >>>>>> ib/samba/winbindd_privileged are set correctly.] >>>>>> >>>>>> process squid is running as user squid and group squidg so afaik >>>>>> permissions below are correct .. >>>>>> >>>>>> 342924 1 drwxr-x--- 5 root squidg 512 Dec 4 03:36 >>>>>> /var/lib/samba >>>>>> 354946 1 drwxr-x--- 4 root squidg 512 Nov 18 01:34 >>>>>> /var/lib/samba/locks >>>>>> 360979 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34 >>>>>> /var/lib/samba/locks/printing >>>>>> 366989 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34 >>>>>> /var/lib/samba/locks/winbindd_privileged >>>>>> 342930 8 -rw-r----- 1 root squidg 8192 Dec 4 03:37 >>>>>> /var/lib/samba/gencache.tdb >>>>>> 342932 1 -rw-r----- 1 root squidg 696 Nov 18 01:34 >>>>>> /var/lib/samba/idmap_cache.tdb >>>>>> 342933 1 -rw-r----- 1 root squidg 696 Dec 3 17:35 >>>>>> /var/lib/samba/messages.tdb >>>>>> 342935 56 -rw------- 1 root root 57344 Dec 3 17:36 >>>>>> /var/lib/samba/winbindd_cache.tdb >>>>>> 342936 29752 -rw-r----- 1 root squidg 30441472 Dec 4 > 09:58 >>>>>> /var/lib/samba/netsamlogon_cache.tdb >>>>>> 138380 1 drwxr-x--- 2 root squidg 512 Dec 3 17:35 >>>>>> /var/lib/samba/winbindd_privileged >>>>>> 138381 0 srwxrwxrwx 1 root root 0 Dec 3 17:35 >>>>>> /var/lib/samba/winbindd_privileged/pipe >>>>>> 222599 1 drwxr-x--- 2 root squidg 512 Dec 4 03:36 >>>>>> /var/lib/samba/smb_krb5 >>>>>> 342937 1 -rw-r--r-- 1 root root 268 Dec 4 03:36 >>>>>> /var/lib/samba/smb_krb5/krb5.conf.EUROPE >>>>>> >>>>>> I did not find any explanation right now except applying same >>>> security >>>>>> settings on directories again and reloading process squid. >>>>>> >>>>>> We are already running squid more than 3 years and never got the >>>> problem >>>>>> before .. >>>>>> >>>>>> Can somebody really help me because each time we encounter this > issue >>>>>> hundreds of my users are impacted. >>>>>> >>>>>> many thanks for your help. >>>>> Please first ensure that you DO NOT have cache_effective_group >>>>> configured in your squid.conf. >>>>> All squid group settings under this setup need to be OS-defined >>>>> correctly and working properly that way. >>>> >>>> yes sure I get 'cache_effective_user squid' & 'cache_effective_group >>>> squidg' configured in squid config file ... this was alaways so .. >>>> >>>> is there a specific issue with it ?? >>> >>>The squid.conf configured group forces override of any OS settings > from >>>squid point of view. Particularly to the effect of erasing membership > of >>>secondary groups and group aliases. Winbind only obeys and verifies >>>against the OS settings, so there is a high likelyhood that your issue >>>is a mismatch between the privileges seen by squid with group > configured >>>and the system settings. >>> >>>effective_group may have been needed in 2.5 and earlier and before we >>>sorted out the winbind privileges system. But has really been obsolete >>>since group membership was fixed in Squid-2.6. >>> >> >>Amos, >> >>many thks for your help .. I made the change yesterday morning and > seems to be okay till now. >> >>I keep you informed later if this stays as is. > > I am back, sorry but the problem is happening again .... do you get some > other ideas because this is becoming a real big issue here .. thks. > Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full "ls -la" trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. This will be needed by anyone who may be more able to help. Amos
