Search squid archive

RE: winbind directories permissions issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>
>>
>>>> ...
>>>> Amos
>>>>
>>>> I made some cut from our previous posts to avoid any confusion.
>>>>
>>>>>
>>>>> Sorry I haven't had much to do with winbind than we have already
> tried.
>>>>> you are the first I've seen where these fixes have not worked.
>>>>>
>>>>> Can you get a full "ls -la" trace of the directory content and
>>>> permissions
>>>>> at a time where it's working, and one where its not? Also a list of
> the
>>>>> squid user name and the groups names it belongs to.
>>>>>
>>>>
>>>> $ egrep 'squid|winbin' /etc/passwd /etc/group
>>>> /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh
>>>> /etc/group:squidg::1560:
>>>> /etc/group:winbind::2222:squid
>>>>
>>>> Below what happended on one of my machine .. sbepskdd.
>>>>
>>>> some minutes before the bug occured ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 121612
>>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
>>>>     330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
>>>>     162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
>>>> gencache.tdb
>>>>     162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
>>>> idmap_cache.tdb
>>>>     168469 drwxr-x---   4 0        2222         512 Nov 17 19:39
> locks
>>>>     162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
>>>> messages.tdb
>>>>     162454 -rw-r-----   1 0        2222     62144512 Dec 15 08:41
>>>> netsamlogon_cache.tdb
>>>>      54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
>>>> smb_krb5
>>>>     162453 -rw-------   1 0        0          57344 Nov 25 06:49
>>>> winbindd_cache.tdb
>>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
>>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
>>>>     451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47
> pipe
>>>>
>>>> when SQUID is still running but the bug is happening ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 122140
>>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
>>>>     330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
>>>>     162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
>>>> gencache.tdb
>>>>     162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
>>>> idmap_cache.tdb
>>>>     168469 drwxr-x---   4 0        2222         512 Nov 17 19:39
> locks
>>>>     162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
>>>> messages.tdb
>>>>     162454 -rw-r-----   1 0        2222     62414848 Dec 15 10:04
>>>> netsamlogon_cache.tdb
>>>>      54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
>>>> smb_krb5
>>>>     162453 -rw-------   1 0        0          57344 Nov 25 06:49
>>>> winbindd_cache.tdb
>>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
>>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
>>>>     451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47
> pipe
>>>>
>>>> just after restart of SQUID process ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 122140
>>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 .
>>>>     330886 drwxr-xr-x   5 0        0            512 Nov 17 19:39 ..
>>>>     162448 -rw-r-----   1 0        2222        8192 Dec 15 04:14
>>>> gencache.tdb
>>>>     162450 -rw-r-----   1 0        2222         696 Nov 17 19:39
>>>> idmap_cache.tdb
>>>>     168469 drwxr-x---   4 0        2222         512 Nov 17 19:39
> locks
>>>>     162451 -rw-r-----   1 0        2222        8192 Dec 14 22:06
>>>> messages.tdb
>>>>     162454 -rw-r-----   1 0        2222     62414848 Dec 15 10:04
>>>> netsamlogon_cache.tdb
>>>>      54155 drwxr-x---   2 0        2222         512 Dec 15 04:14
>>>> smb_krb5
>>>>     162453 -rw-------   1 0        0          57344 Nov 25 06:49
>>>> winbindd_cache.tdb
>>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>>     451222 drwxr-x---   2 0        2222         512 Nov 25 06:47 .
>>>>     162445 drwxr-x---   5 0        2222         512 Dec 15 04:14 ..
>>>>     451223 srwxrwxrwx   1 0        0              0 Nov 25 06:47
> pipe
>>>>
>>>> Now another notice, I made a change last tuesday on another SQUID
> server
>>>> and this seems working almost one week ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 78156
>>>>     342924 drwxr-xr-x   5 0        2222         512 Dec 15 04:22 .
>>>>      66177 drwxr-xr-x   5 0        0            512 Nov 18 01:34 ..
>>>>     342930 -rw-r--r--   1 0        2222        8192 Dec 15 04:22
>>>> gencache.tdb
>>>>     342932 -rw-r--r--   1 0        2222         696 Nov 18 01:34
>>>> idmap_cache.tdb
>>>>     354946 drwxr-xr-x   4 0        2222         512 Nov 18 01:34
> locks
>>>>     342933 -rw-r--r--   1 0        2222        8192 Dec 13 22:06
>>>> messages.tdb
>>>>     342936 -rw-r--r--   1 0        2222     39903232 Dec 15 10:20
>>>> netsamlogon_cache.tdb
>>>>     222599 drwxr-xr-x   2 0        2222         512 Dec 15 04:22
>>>> smb_krb5
>>>>     342934 -rw-------   1 0        0          57344 Dec  9 10:44
>>>> winbindd_cache.tdb
>>>>     138380 drwxr-x---   2 0        2222         512 Dec  9 10:39
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>>     138380 drwxr-x---   2 0        2222         512 Dec  9 10:39 .
>>>>     342924 drwxr-xr-x   5 0        2222         512 Dec 15 04:22 ..
>>>>     138381 srwxrwxrwx   1 0        0              0 Dec  9 10:39
> pipe
>>>>
>>>> I do not understand anything, maybe situation is more clear for you
> ..
>>>>
>>>> Hope some good news from you ..
>>>>
>>>
>>>
>>>Sigh, oh dear. sorry no good news. Nothing visible in that trace. I
> was
>>>hoping it would be clear like squid or winbind setting one of the
>>>privileges to root when it shouldn't.
>>>
>>>You said earlier "process squid is running as user squid and group
>>>squidg so afaik permissions below are correct .."
>>>
>>>You did mean squid starts as root and then sets itself to
>>>"cache_effective_user squid" and user squid is a member of group
> squidg,
>>>right?
>>>
>>
>>I just found another tip on the net by using setgid on ntlm_auth binary
> and winbind directory. I will try this tomorow morning .. see below ??
>>
>>chown -R root:winbind /var/lib/samba
>>find /var/lib/samba -type d -exec chmod 750 {} \;
>>find /var/lib/samba -type f -exec chmod 640 {} \;
>>chown root:winbind /usr/local/bin/ntlm_auth
>>chmod 2555 /usr/local/bin/ntlm_auth
>>chmod g+s /var/lib/samba/winbindd_privileged
>>
>>I just tried it on my dev machine and seems to work ..
>>
>>root@sbedskcq:/root# ls -la /usr/local/bin/ntlm_auth
>>-r-xr-sr-x   1 root     winbind  1205548 Oct 15 20:05
> /usr/local/bin/ntlm_auth
>>
>>root@sbedskcq:/root# find /var/lib/samba -ls
>>78264    1 drwxr-x---   4 root     winbind       512 Dec 15 19:14
> /var/lib/samba
>>78244   24 -rw-r-----   1 root     winbind     24576 Nov 18 15:48
> /var/lib/samba/gencache.tdb
>>78248    1 -rw-r-----   1 root     winbind       696 Oct 29 07:10
> /var/lib/samba/idmap_cache.tdb
>>78250    1 -rw-r-----   1 root     winbind       696 Dec 15 19:14
> /var/lib/samba/messages.tdb
>>78310   56 -rw-------   1 root     other       57344 Dec 15 19:18
> /var/lib/samba/winbindd_cache.tdb
>>78297  112 -rw-r-----   1 root     winbind    106496 Nov 18 19:04
> /var/lib/samba/netsamlogon_cache.tdb
>>288828    1 drwxr-s---   2 root     winbind       512 Dec 15 19:14
> /var/lib/samba/winbindd_privileged
>>288831    0 srwxrwxrwx   1 root     winbind         0 Dec 15 19:14
> /var/lib/samba/winbindd_privileged/pipe
>>288830    1 drwxr-x---   2 root     winbind       512 Dec 15 19:14
> /var/lib/samba/smb_krb5
>>78309    1 -rw-r--r--   1 root     other         268 Dec 15 19:14
> /var/lib/samba/smb_krb5/krb5.conf.EUROPE
>>
>>root@sbedskcq:/root# ps -fu squid -o uid,gid,args
>>  UID   GID COMMAND
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  1560 diskd 27083780 27083781 27083782
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  1560 diskd 27083776 27083777 27083778
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  1560 (squid) -f /home/SQUID/etc/squid.conf.2.7.4 -D
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  1560 (unlinkd)
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560  1560 /usr/local/sbin/squid -f /home/SQUID/etc/squid.conf.2.7.4
> -D
>>
>>I keep you informed.
>>
>
> So what's new ... very bad news! :(-
>
> So as mentionned, I tried the setgid winbind and this also not works BUT
> something interesting I also tried setuid root and this also fails so,
> as far as I can understand I think the problem is not coming from a lack
> of permission of ntlm_auth on /var/lib/samba/winbindd_privileged
> directory.
>
> In this context the problem is maybe not coming from SQUID but from
> SAMBA (ntlm_auth internal code) ...
>
> What do you think about it ??
>

I think asking them about it might be the next best bet.

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux