Search squid archive

RE: winbind directories permissions issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>
>>> ...
>>> Amos
>>>
>>> I made some cut from our previous posts to avoid any confusion.
>>>
>>>>
>>>> Sorry I haven't had much to do with winbind than we have already
tried.
>>>> you are the first I've seen where these fixes have not worked.
>>>>
>>>> Can you get a full "ls -la" trace of the directory content and
>>> permissions
>>>> at a time where it's working, and one where its not? Also a list of
the
>>>> squid user name and the groups names it belongs to.
>>>>
>>>
>>> $ egrep 'squid|winbin' /etc/passwd /etc/group
>>> /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh
>>> /etc/group:squidg::1560:
>>> /etc/group:winbind::2222:squid
>>>
>>> Below what happended on one of my machine .. sbepskdd.
>>>
>>> some minutes before the bug occured ..
>>>
>>> $ ls -nai /var/lib/samba
>>> total 121612
>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
>>>     330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
>>>     162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
>>> gencache.tdb
>>>     162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
>>> idmap_cache.tdb
>>>     168469 drwxr-x---   4 0        2222         512 Nov 17 19:39
locks
>>>     162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
>>> messages.tdb
>>>     162454 -rw-r-----   1 0        2222     62144512 Dec 15 08:41
>>> netsamlogon_cache.tdb
>>>      54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
>>> smb_krb5
>>>     162453 -rw-------   1 0        0          57344 Nov 25 06:49
>>> winbindd_cache.tdb
>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
>>> winbindd_privileged
>>>
>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>> total 4
>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
>>>     451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47
pipe
>>>
>>> when SQUID is still running but the bug is happening ..
>>>
>>> $ ls -nai /var/lib/samba
>>> total 122140
>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
>>>     330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
>>>     162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
>>> gencache.tdb
>>>     162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
>>> idmap_cache.tdb
>>>     168469 drwxr-x---   4 0        2222         512 Nov 17 19:39
locks
>>>     162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
>>> messages.tdb
>>>     162454 -rw-r-----   1 0        2222     62414848 Dec 15 10:04
>>> netsamlogon_cache.tdb
>>>      54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
>>> smb_krb5
>>>     162453 -rw-------   1 0        0          57344 Nov 25 06:49
>>> winbindd_cache.tdb
>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
>>> winbindd_privileged
>>>
>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>> total 4
>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
>>>     451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47
pipe
>>>
>>> just after restart of SQUID process ..
>>>
>>> $ ls -nai /var/lib/samba
>>> total 122140
>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
>>>     330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
>>>     162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
>>> gencache.tdb
>>>     162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
>>> idmap_cache.tdb
>>>     168469 drwxr-x---   4 0        2222         512 Nov 17 19:39
locks
>>>     162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
>>> messages.tdb
>>>     162454 -rw-r-----   1 0        2222     62414848 Dec 15 10:04
>>> netsamlogon_cache.tdb
>>>      54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
>>> smb_krb5
>>>     162453 -rw-------   1 0        0          57344 Nov 25 06:49
>>> winbindd_cache.tdb
>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
>>> winbindd_privileged
>>>
>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>> total 4
>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
>>>     451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47
pipe
>>>
>>> Now another notice, I made a change last tuesday on another SQUID
server
>>> and this seems working almost one week ..
>>>
>>> $ ls -nai /var/lib/samba
>>> total 78156
>>>     342924 drwxr-xr-x   5 0        2222         512 Dec 15 04:22 .
>>>      66177 drwxr-xr-x   5 0        0            512 Nov 18 01:34 ..
>>>     342930 -rw-r--r--   1 0        2222        8192 Dec 15 04:22
>>> gencache.tdb
>>>     342932 -rw-r--r--   1 0        2222         696 Nov 18 01:34
>>> idmap_cache.tdb
>>>     354946 drwxr-xr-x   4 0        2222         512 Nov 18 01:34
locks
>>>     342933 -rw-r--r--   1 0        2222        8192 Dec 13 22:06
>>> messages.tdb
>>>     342936 -rw-r--r--   1 0        2222     39903232 Dec 15 10:20
>>> netsamlogon_cache.tdb
>>>     222599 drwxr-xr-x   2 0        2222         512 Dec 15 04:22
>>> smb_krb5
>>>     342934 -rw-------   1 0        0          57344 Dec  9 10:44
>>> winbindd_cache.tdb
>>>     138380 drwxr-x---   2 0        2222         512 Dec  9 10:39
>>> winbindd_privileged
>>>
>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>> total 4
>>>     138380 drwxr-x---   2 0        2222         512 Dec  9 10:39 .
>>>     342924 drwxr-xr-x   5 0        2222         512 Dec 15 04:22 ..
>>>     138381 srwxrwxrwx   1 0        0              0 Dec  9 10:39
pipe
>>>
>>> I do not understand anything, maybe situation is more clear for you
..
>>>
>>> Hope some good news from you ..
>>>
>>
>>
>>Sigh, oh dear. sorry no good news. Nothing visible in that trace. I
was
>>hoping it would be clear like squid or winbind setting one of the
>>privileges to root when it shouldn't.
>>
>>You said earlier "process squid is running as user squid and group
>>squidg so afaik permissions below are correct .."
>>
>>You did mean squid starts as root and then sets itself to
>>"cache_effective_user squid" and user squid is a member of group
squidg,
>>right?
>>
>
>I just found another tip on the net by using setgid on ntlm_auth binary
and winbind directory. I will try this tomorow morning .. see below ??
>
>chown -R root:winbind /var/lib/samba
>find /var/lib/samba -type d -exec chmod 750 {} \;
>find /var/lib/samba -type f -exec chmod 640 {} \;
>chown root:winbind /usr/local/bin/ntlm_auth
>chmod 2555 /usr/local/bin/ntlm_auth
>chmod g+s /var/lib/samba/winbindd_privileged
>
>I just tried it on my dev machine and seems to work ..
>
>root@sbedskcq:/root# ls -la /usr/local/bin/ntlm_auth
>-r-xr-sr-x   1 root     winbind  1205548 Oct 15 20:05
/usr/local/bin/ntlm_auth
>
>root@sbedskcq:/root# find /var/lib/samba -ls
>78264    1 drwxr-x---   4 root     winbind       512 Dec 15 19:14
/var/lib/samba
>78244   24 -rw-r-----   1 root     winbind     24576 Nov 18 15:48
/var/lib/samba/gencache.tdb
>78248    1 -rw-r-----   1 root     winbind       696 Oct 29 07:10
/var/lib/samba/idmap_cache.tdb
>78250    1 -rw-r-----   1 root     winbind       696 Dec 15 19:14
/var/lib/samba/messages.tdb
>78310   56 -rw-------   1 root     other       57344 Dec 15 19:18
/var/lib/samba/winbindd_cache.tdb
>78297  112 -rw-r-----   1 root     winbind    106496 Nov 18 19:04
/var/lib/samba/netsamlogon_cache.tdb
>288828    1 drwxr-s---   2 root     winbind       512 Dec 15 19:14
/var/lib/samba/winbindd_privileged
>288831    0 srwxrwxrwx   1 root     winbind         0 Dec 15 19:14
/var/lib/samba/winbindd_privileged/pipe
>288830    1 drwxr-x---   2 root     winbind       512 Dec 15 19:14
/var/lib/samba/smb_krb5
>78309    1 -rw-r--r--   1 root     other         268 Dec 15 19:14
/var/lib/samba/smb_krb5/krb5.conf.EUROPE
>
>root@sbedskcq:/root# ps -fu squid -o uid,gid,args
>  UID   GID COMMAND
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  1560 diskd 27083780 27083781 27083782
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  1560 diskd 27083776 27083777 27083778
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  1560 (squid) -f /home/SQUID/etc/squid.conf.2.7.4 -D
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  1560 (unlinkd)
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
> 1560  1560 /usr/local/sbin/squid -f /home/SQUID/etc/squid.conf.2.7.4
-D
>
>I keep you informed.
>

So what's new ... very bad news! :(-

So as mentionned, I tried the setgid winbind and this also not works BUT
something interesting I also tried setuid root and this also fails so,
as far as I can understand I think the problem is not coming from a lack
of permission of ntlm_auth on /var/lib/samba/winbindd_privileged
directory.

In this context the problem is maybe not coming from SQUID but from
SAMBA (ntlm_auth internal code) ...

What do you think about it ??

>>>
>>>> This will be needed by anyone who may be more able to help.
>>>>
>>>>
>>
>>Amos
>>--
>>Please be using
>>   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
>>   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
>>
>
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux