> >>> ... >>> Amos >>> >>> I made some cut from our previous posts to avoid any confusion. >>> >>>> >>>> Sorry I haven't had much to do with winbind than we have already tried. >>>> you are the first I've seen where these fixes have not worked. >>>> >>>> Can you get a full "ls -la" trace of the directory content and >>> permissions >>>> at a time where it's working, and one where its not? Also a list of the >>>> squid user name and the groups names it belongs to. >>>> >>> >>> $ egrep 'squid|winbin' /etc/passwd /etc/group >>> /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh >>> /etc/group:squidg::1560: >>> /etc/group:winbind::2222:squid >>> >>> Below what happended on one of my machine .. sbepskdd. >>> >>> some minutes before the bug occured .. >>> >>> $ ls -nai /var/lib/samba >>> total 121612 >>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 . >>> 330886 drwxr-xr-x 5 0 0 512 Nov 17 19:39 .. >>> 162448 -rw-r----- 1 0 2222 8192 Dec 15 04:14 >>> gencache.tdb >>> 162450 -rw-r----- 1 0 2222 696 Nov 17 19:39 >>> idmap_cache.tdb >>> 168469 drwxr-x--- 4 0 2222 512 Nov 17 19:39 locks >>> 162451 -rw-r----- 1 0 2222 8192 Dec 14 22:06 >>> messages.tdb >>> 162454 -rw-r----- 1 0 2222 62144512 Dec 15 08:41 >>> netsamlogon_cache.tdb >>> 54155 drwxr-x--- 2 0 2222 512 Dec 15 04:14 >>> smb_krb5 >>> 162453 -rw------- 1 0 0 57344 Nov 25 06:49 >>> winbindd_cache.tdb >>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 >>> winbindd_privileged >>> >>> $ ls -nai /var/lib/samba/winbindd_privileged >>> total 4 >>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 . >>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 .. >>> 451223 srwxrwxrwx 1 0 0 0 Nov 25 06:47 pipe >>> >>> when SQUID is still running but the bug is happening .. >>> >>> $ ls -nai /var/lib/samba >>> total 122140 >>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 . >>> 330886 drwxr-xr-x 5 0 0 512 Nov 17 19:39 .. >>> 162448 -rw-r----- 1 0 2222 8192 Dec 15 04:14 >>> gencache.tdb >>> 162450 -rw-r----- 1 0 2222 696 Nov 17 19:39 >>> idmap_cache.tdb >>> 168469 drwxr-x--- 4 0 2222 512 Nov 17 19:39 locks >>> 162451 -rw-r----- 1 0 2222 8192 Dec 14 22:06 >>> messages.tdb >>> 162454 -rw-r----- 1 0 2222 62414848 Dec 15 10:04 >>> netsamlogon_cache.tdb >>> 54155 drwxr-x--- 2 0 2222 512 Dec 15 04:14 >>> smb_krb5 >>> 162453 -rw------- 1 0 0 57344 Nov 25 06:49 >>> winbindd_cache.tdb >>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 >>> winbindd_privileged >>> >>> $ ls -nai /var/lib/samba/winbindd_privileged >>> total 4 >>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 . >>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 .. >>> 451223 srwxrwxrwx 1 0 0 0 Nov 25 06:47 pipe >>> >>> just after restart of SQUID process .. >>> >>> $ ls -nai /var/lib/samba >>> total 122140 >>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 . >>> 330886 drwxr-xr-x 5 0 0 512 Nov 17 19:39 .. >>> 162448 -rw-r----- 1 0 2222 8192 Dec 15 04:14 >>> gencache.tdb >>> 162450 -rw-r----- 1 0 2222 696 Nov 17 19:39 >>> idmap_cache.tdb >>> 168469 drwxr-x--- 4 0 2222 512 Nov 17 19:39 locks >>> 162451 -rw-r----- 1 0 2222 8192 Dec 14 22:06 >>> messages.tdb >>> 162454 -rw-r----- 1 0 2222 62414848 Dec 15 10:04 >>> netsamlogon_cache.tdb >>> 54155 drwxr-x--- 2 0 2222 512 Dec 15 04:14 >>> smb_krb5 >>> 162453 -rw------- 1 0 0 57344 Nov 25 06:49 >>> winbindd_cache.tdb >>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 >>> winbindd_privileged >>> >>> $ ls -nai /var/lib/samba/winbindd_privileged >>> total 4 >>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 . >>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 .. >>> 451223 srwxrwxrwx 1 0 0 0 Nov 25 06:47 pipe >>> >>> Now another notice, I made a change last tuesday on another SQUID server >>> and this seems working almost one week .. >>> >>> $ ls -nai /var/lib/samba >>> total 78156 >>> 342924 drwxr-xr-x 5 0 2222 512 Dec 15 04:22 . >>> 66177 drwxr-xr-x 5 0 0 512 Nov 18 01:34 .. >>> 342930 -rw-r--r-- 1 0 2222 8192 Dec 15 04:22 >>> gencache.tdb >>> 342932 -rw-r--r-- 1 0 2222 696 Nov 18 01:34 >>> idmap_cache.tdb >>> 354946 drwxr-xr-x 4 0 2222 512 Nov 18 01:34 locks >>> 342933 -rw-r--r-- 1 0 2222 8192 Dec 13 22:06 >>> messages.tdb >>> 342936 -rw-r--r-- 1 0 2222 39903232 Dec 15 10:20 >>> netsamlogon_cache.tdb >>> 222599 drwxr-xr-x 2 0 2222 512 Dec 15 04:22 >>> smb_krb5 >>> 342934 -rw------- 1 0 0 57344 Dec 9 10:44 >>> winbindd_cache.tdb >>> 138380 drwxr-x--- 2 0 2222 512 Dec 9 10:39 >>> winbindd_privileged >>> >>> $ ls -nai /var/lib/samba/winbindd_privileged >>> total 4 >>> 138380 drwxr-x--- 2 0 2222 512 Dec 9 10:39 . >>> 342924 drwxr-xr-x 5 0 2222 512 Dec 15 04:22 .. >>> 138381 srwxrwxrwx 1 0 0 0 Dec 9 10:39 pipe >>> >>> I do not understand anything, maybe situation is more clear for you .. >>> >>> Hope some good news from you .. >>> >> >> >>Sigh, oh dear. sorry no good news. Nothing visible in that trace. I was >>hoping it would be clear like squid or winbind setting one of the >>privileges to root when it shouldn't. >> >>You said earlier "process squid is running as user squid and group >>squidg so afaik permissions below are correct .." >> >>You did mean squid starts as root and then sets itself to >>"cache_effective_user squid" and user squid is a member of group squidg, >>right? >> > >I just found another tip on the net by using setgid on ntlm_auth binary and winbind directory. I will try this tomorow morning .. see below ?? > >chown -R root:winbind /var/lib/samba >find /var/lib/samba -type d -exec chmod 750 {} \; >find /var/lib/samba -type f -exec chmod 640 {} \; >chown root:winbind /usr/local/bin/ntlm_auth >chmod 2555 /usr/local/bin/ntlm_auth >chmod g+s /var/lib/samba/winbindd_privileged > >I just tried it on my dev machine and seems to work .. > >root@sbedskcq:/root# ls -la /usr/local/bin/ntlm_auth >-r-xr-sr-x 1 root winbind 1205548 Oct 15 20:05 /usr/local/bin/ntlm_auth > >root@sbedskcq:/root# find /var/lib/samba -ls >78264 1 drwxr-x--- 4 root winbind 512 Dec 15 19:14 /var/lib/samba >78244 24 -rw-r----- 1 root winbind 24576 Nov 18 15:48 /var/lib/samba/gencache.tdb >78248 1 -rw-r----- 1 root winbind 696 Oct 29 07:10 /var/lib/samba/idmap_cache.tdb >78250 1 -rw-r----- 1 root winbind 696 Dec 15 19:14 /var/lib/samba/messages.tdb >78310 56 -rw------- 1 root other 57344 Dec 15 19:18 /var/lib/samba/winbindd_cache.tdb >78297 112 -rw-r----- 1 root winbind 106496 Nov 18 19:04 /var/lib/samba/netsamlogon_cache.tdb >288828 1 drwxr-s--- 2 root winbind 512 Dec 15 19:14 /var/lib/samba/winbindd_privileged >288831 0 srwxrwxrwx 1 root winbind 0 Dec 15 19:14 /var/lib/samba/winbindd_privileged/pipe >288830 1 drwxr-x--- 2 root winbind 512 Dec 15 19:14 /var/lib/samba/smb_krb5 >78309 1 -rw-r--r-- 1 root other 268 Dec 15 19:14 /var/lib/samba/smb_krb5/krb5.conf.EUROPE > >root@sbedskcq:/root# ps -fu squid -o uid,gid,args > UID GID COMMAND > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 1560 diskd 27083780 27083781 27083782 > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 1560 diskd 27083776 27083777 27083778 > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 1560 (squid) -f /home/SQUID/etc/squid.conf.2.7.4 -D > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 1560 (unlinkd) > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp > 1560 1560 /usr/local/sbin/squid -f /home/SQUID/etc/squid.conf.2.7.4 -D > >I keep you informed. > So what's new ... very bad news! :(- So as mentionned, I tried the setgid winbind and this also not works BUT something interesting I also tried setuid root and this also fails so, as far as I can understand I think the problem is not coming from a lack of permission of ntlm_auth on /var/lib/samba/winbindd_privileged directory. In this context the problem is maybe not coming from SQUID but from SAMBA (ntlm_auth internal code) ... What do you think about it ?? >>> >>>> This will be needed by anyone who may be more able to help. >>>> >>>> >> >>Amos >>-- >>Please be using >> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 >> Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1 >> > ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -----------------------------------------------------------------