Re: winbind directories permissions issue

Amos Jeffries <squid3@xxxxxxxxxxxxx> · Tue, 16 Dec 2008 01:31:45 +1300

vincent.blondel@xxxxxx wrote:
...
Amos

I made some cut from our previous posts to avoid any confusion.

Sorry I haven't had much to do with winbind than we have already tried.
you are the first I've seen where these fixes have not worked.

Can you get a full "ls -la" trace of the directory content and
permissions
at a time where it's working, and one where its not? Also a list of the
squid user name and the groups names it belongs to.

$ egrep 'squid|winbin' /etc/passwd /etc/group
/etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh
/etc/group:squidg::1560:
/etc/group:winbind::2222:squid

Below what happended on one of my machine .. sbepskdd.

some minutes before the bug occured ..

$ ls -nai /var/lib/samba
total 121612
    162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
    330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
    162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
gencache.tdb
    162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
idmap_cache.tdb
    168469 drwxr-x---   4 0        2222         512 Nov 17 19:39 locks
    162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
messages.tdb
    162454 -rw-r-----   1 0        2222     62144512 Dec 15 08:41
netsamlogon_cache.tdb
     54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
smb_krb5
    162453 -rw-------   1 0        0          57344 Nov 25 06:49
winbindd_cache.tdb
    451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
winbindd_privileged

$ ls -nai /var/lib/samba/winbindd_privileged
total 4
    451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
    162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
    451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47 pipe

when SQUID is still running but the bug is happening ..

$ ls -nai /var/lib/samba
total 122140
    162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
    330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
    162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
gencache.tdb
    162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
idmap_cache.tdb
    168469 drwxr-x---   4 0        2222         512 Nov 17 19:39 locks
    162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
messages.tdb
    162454 -rw-r-----   1 0        2222     62414848 Dec 15 10:04
netsamlogon_cache.tdb
     54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
smb_krb5
    162453 -rw-------   1 0        0          57344 Nov 25 06:49
winbindd_cache.tdb
    451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
winbindd_privileged

$ ls -nai /var/lib/samba/winbindd_privileged
total 4
    451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
    162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
    451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47 pipe

just after restart of SQUID process ..

$ ls -nai /var/lib/samba
total 122140
    162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
    330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
    162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
gencache.tdb
    162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
idmap_cache.tdb
    168469 drwxr-x---   4 0        2222         512 Nov 17 19:39 locks
    162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
messages.tdb
    162454 -rw-r-----   1 0        2222     62414848 Dec 15 10:04
netsamlogon_cache.tdb
     54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
smb_krb5
    162453 -rw-------   1 0        0          57344 Nov 25 06:49
winbindd_cache.tdb
    451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
winbindd_privileged

$ ls -nai /var/lib/samba/winbindd_privileged
total 4
    451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
    162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
    451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47 pipe

Now another notice, I made a change last tuesday on another SQUID server
and this seems working almost one week ..

$ ls -nai /var/lib/samba
total 78156
    342924 drwxr-xr-x   5 0        2222         512 Dec 15 04:22 .
     66177 drwxr-xr-x   5 0        0            512 Nov 18 01:34 ..
    342930 -rw-r--r--   1 0        2222        8192 Dec 15 04:22
gencache.tdb
    342932 -rw-r--r--   1 0        2222         696 Nov 18 01:34
idmap_cache.tdb
    354946 drwxr-xr-x   4 0        2222         512 Nov 18 01:34 locks
    342933 -rw-r--r--   1 0        2222        8192 Dec 13 22:06
messages.tdb
    342936 -rw-r--r--   1 0        2222     39903232 Dec 15 10:20
netsamlogon_cache.tdb
    222599 drwxr-xr-x   2 0        2222         512 Dec 15 04:22
smb_krb5
    342934 -rw-------   1 0        0          57344 Dec  9 10:44
winbindd_cache.tdb
    138380 drwxr-x---   2 0        2222         512 Dec  9 10:39
winbindd_privileged

$ ls -nai /var/lib/samba/winbindd_privileged
total 4
    138380 drwxr-x---   2 0        2222         512 Dec  9 10:39 .
    342924 drwxr-xr-x   5 0        2222         512 Dec 15 04:22 ..
    138381 srwxrwxrwx   1 0        0              0 Dec  9 10:39 pipe

I do not understand anything, maybe situation is more clear for you .. 

Hope some good news from you ..

Sigh, oh dear. sorry no good news. Nothing visible in that trace. I was 
hoping it would be clear like squid or winbind setting one of the 
privileges to root when it shouldn't.

You said earlier "process squid is running as user squid and group 
squidg so afaik permissions below are correct .."

You did mean squid starts as root and then sets itself to 
"cache_effective_user squid" and user squid is a member of group squidg, 
right?

This will be needed by anyone who may be more able to help.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
  Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1