Going in depth I found in man winbindd following:
$LOCKDIR/winbindd_privileged/pipe
The UNIX pipe over which 'privileged' clients communicate with the
winbindd program. For security reasons, access to some winbindd
functions - like those needed by the ntlm_auth utility - is
restricted. By default, only users in the 'root' group will get
this access, however the administrator may change the group
permissions on $LOCKDIR/winbindd_privileged to allow programs like
'squid' to use ntlm_auth. Note that the winbind client will only
attempt to connect to the winbindd daemon if both the
$LOCKDIR/winbindd_privileged directory and
$LOCKDIR/winbindd_privileged/pipe file are owned by root.
And that's true. I need to change group to squid to
winbindd_privileged AND winbindd_privileged/pipe.
Trying to figure out on to how to ask winbind to make it's pipe with
another group like winbind_priv... winbind makes it root:wheel by
default.
2010/9/3 Diego Woitasen <diegows@xxxxxxxxxxxx>:
> On Fri, Sep 3, 2010 at 8:54 AM, c0re <nr1c0re@xxxxxxxxx> wrote:
>> I found strange solution:
>> stop squid&windbind
>> rm -rf /var/db/samba/winbindd_privileged
>> start winbind
>> chown :squid /var/db/samba/winbindd_privileged
>>
>> And problem disappeared.
>>
>> 2010/9/1 c0re <nr1c0re@xxxxxxxxx>:
>>> Hello squid users!
>>>
>>> I've got squid+winbind ntlm auth.
>>> But sometimes I see this in log /var/log/samba/log.winbindd
>>>
>>> [2010/09/01 12:39:11, 2] winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754)
>>> winbindd_pam_auth_crap: non-privileged access denied. !
>>> winbindd_pam_auth_crap: Ensure permissions on
>>> /var/db/samba/winbindd_privileged are set correctly.
>>>
>>> About 1k users.
>>> Sometimes some user can see proxy auth window asking for credentials in IE6.
>>> User can just press ESC and do not enter any credentials, all goes OK.
>>> That window means that some ntlm auth problem occurs.
>>> In log I see only those message above about winbindd_privileged.
>>>
>>> freebsd 7.3
>>> squid 3.1.7
>>> samba-3.3.10
>>>
>>> In squid.conf
>>> no cache_effective_group option configured
>>> auth_param ntlm program /usr/local/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 150
>>>
>>> Using cachemgr.cgi and looking at "NTLM User Authenticator Stats" I
>>> see only 32 redirectors has changed "# Request" counters, that means
>>> that not all 150 redirectors used so it's not redirector problem.
>>>
>>> # ls -l /var/db/samba/ | grep winbindd_privileged
>>> drwxrwx--- 2 root squid 512 Aug 22 13:58 winbindd_privileged
>>>
>>> # ls -l /var/db/samba/winbindd_privileged/
>>> srwxrwxrwx 1 root squid 0 Aug 22 13:58 pipe
>>>
>>> What can be wrong? If there were incorrect permissions no one can auth
>>> via ntlm, but all users can authorize and walk in internet. I can't
>>> find why sometime those auth window appears and why those message
>>> about "permissions" appears in log.
>>>
>>> Thanks in advance!
>>>
>>
>
> That's not the correct solution. The squid user should be member of
> the group winbindd_priv and you have to remove the
> cache_effective_group from squid.conf.
>
> Regards,
> Diego
>
>
>
> --
> Diego Woitasen
> XTECH
>
