On Fri, Sep 3, 2010 at 8:54 AM, c0re <nr1c0re@xxxxxxxxx> wrote: > I found strange solution: > stop squid&windbind > rm -rf /var/db/samba/winbindd_privileged > start winbind > chown :squid /var/db/samba/winbindd_privileged > > And problem disappeared. > > 2010/9/1 c0re <nr1c0re@xxxxxxxxx>: >> Hello squid users! >> >> I've got squid+winbind ntlm auth. >> But sometimes I see this in log /var/log/samba/log.winbindd >> >> [2010/09/01 12:39:11, 2] winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754) >> winbindd_pam_auth_crap: non-privileged access denied. ! >> winbindd_pam_auth_crap: Ensure permissions on >> /var/db/samba/winbindd_privileged are set correctly. >> >> About 1k users. >> Sometimes some user can see proxy auth window asking for credentials in IE6. >> User can just press ESC and do not enter any credentials, all goes OK. >> That window means that some ntlm auth problem occurs. >> In log I see only those message above about winbindd_privileged. >> >> freebsd 7.3 >> squid 3.1.7 >> samba-3.3.10 >> >> In squid.conf >> no cache_effective_group option configured >> auth_param ntlm program /usr/local/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 150 >> >> Using cachemgr.cgi and looking at "NTLM User Authenticator Stats" I >> see only 32 redirectors has changed "# Request" counters, that means >> that not all 150 redirectors used so it's not redirector problem. >> >> # ls -l /var/db/samba/ | grep winbindd_privileged >> drwxrwx--- 2 root squid 512 Aug 22 13:58 winbindd_privileged >> >> # ls -l /var/db/samba/winbindd_privileged/ >> srwxrwxrwx 1 root squid 0 Aug 22 13:58 pipe >> >> What can be wrong? If there were incorrect permissions no one can auth >> via ntlm, but all users can authorize and walk in internet. I can't >> find why sometime those auth window appears and why those message >> about "permissions" appears in log. >> >> Thanks in advance! >> > That's not the correct solution. The squid user should be member of the group winbindd_priv and you have to remove the cache_effective_group from squid.conf. Regards, Diego -- Diego Woitasen XTECH
