> Da: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Murilo Moreira de Oliveira wrote: > > Hello. Follow bellow the steps I've used to get NTLM > authentication working. > > > > 1.# yum -y install authconfig krb5-workstation samba-common > > > > 2.[root@proxyweb ~]# authconfig --enableshadow --enablemd5 > > --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN > > --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN > > --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth > > --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN > > --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" > > --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain > > --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN > --disablewins > > --disablecache --enablelocauthorize --updateall > > > > 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD > > This is the user that proxy will use to validate users credentials. > > > > 4.# chown root:squid /var/cache/samba/winbindd_privileged > > > > Noooooooo! Ouch. > > This is a giant permissions hack to evade the strict security > leash of > cache_effective_group. > > The correct way to do this is to add the Squid proxy user to > the system > group which wbinfo normally lets access > /var/cache/samba/winbindd_privileged > > ... and ensure cache_effective_group is MISSING from squid.conf. Hi all. It seems I'm experiencing some similar problem. I have set up a new CentOS 5.5 install with samba3x-3.3.8-0.52.el5_5 (the new 3.3 package included in RH/CentOS 5.5), squid-2.6.STABLE21-6.el5 . /var/lib/samba/winbindd_privileged is owned by root:wbpriv . Even if I add the squid user to the wbpriv group, I still find in the log: [2010/06/20 14:42:01, 0] utils/ntlm_auth.c:winbind_pw_check(556) Login for user [domain]\[lux]@[LUXNB] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.] [2010/06/20 14:42:01, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(831) NTLMSSP BH: NT_STATUS_ACCESS_DENIED If I do "chgrp squid /var/lib/samba/winbindd_privileged" then the problem disappears. Even if I pose "cache_effective_group wbpriv" in squid.conf, the problem is solved. As it was suggested, I checked to have no cache_effective_group entry in squid.conf. But note that if I do dome debugging, it seems that having no cache_effective_group is equivalent to have "cache_effective_group squid": # squid -D -N -X -d 9 2>&1 | grep cache_effective_group 2010/06/20 16:09:27| parse_line: cache_effective_group squid It seems to me that squid drops any supplmental groups at runtime, so it can not access a directory owned by wbpriv. In fact, if I strace the process, it does this (23 is squid uid and gid; wbprif would be 88): 15343 setgroups32(1, [23]) = 0 15343 setgid32(23) = 0 15343 setresuid32(23, 23, 0) = 0 Do you have any suggestion to make my setup work, apart from the two workarounds mentioned above?
