Re: Re: Again with winbindd_privileged, sometimes "Ensure permissions on /var/db/samba/winbindd_privileged are set correctly"

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 30/09/10 00:19, c0re wrote:
> Going in depth I found in man winbindd following:
>
>         $LOCKDIR/winbindd_privileged/pipe
>             The UNIX pipe over which 'privileged' clients communicate with the
>             winbindd program. For security reasons, access to some winbindd
>             functions - like those needed by the ntlm_auth utility - is
>             restricted. By default, only users in the 'root' group will get
>             this access, however the administrator may change the group
>             permissions on $LOCKDIR/winbindd_privileged to allow programs like
>             'squid' to use ntlm_auth. Note that the winbind client will only
>             attempt to connect to the winbindd daemon if both the
>             $LOCKDIR/winbindd_privileged directory and
>             $LOCKDIR/winbindd_privileged/pipe file are owned by root.
>
> And that's true. I need to change group to squid to
> winbindd_privileged  AND winbindd_privileged/pipe.
> Trying to figure out on to how to ask winbind to make it's pipe with
> another group like winbind_priv... winbind makes it root:wheel by
> default.

False. The permissions situation has been explained to you twice 
already. It has not changed:
 * You need to remove cache_effective_*group* setting from overriding 
the group permissions assigned to Squid by the OS extended-groups 
security system.
 * You need to make the squid cache_effective_*user* a member of the OS 
group with read access to $LOCKDIR/winbindd_privileged

When these two conditions are true Squid and its wbinfo helpers will 
have access to verify users and groups.

Samba periodically resets the ownersip permissions on its 
$LOCKDIR/winbindd_privileged resources. This is a known problem with the 
hack workaround of changing it to "squid" group. It sounds to me like 
exactly this is happening while Squid is active and you get that log 
line entered until something else comes along and removes the Samba 
security again.


This in no way fixes any other auth problem which may be occurring.

There are secondary problems known on some older OS variants before the 
correct permissions fix was confirmed:

1) several OS (RedHat and children) hard-code the cache_effective_group 
to some value. This prevents you being able to use the OS security 
system groups the way winbind needs. The fix for this is to build your 
own from source without the config defaults patching.

2) at least one OS (Gentoo) default the group ownership of 
winbindd_privileged to "squid" and patch winbind to work with that in 
its own way.

3) SELinux can prevent Squid from accessing things that would otherwise 
seem perfectly accessible.

4) Squid has several bugs and flaws which cause it to drop credentials 
under some conditions. These are still being worked out and checked. The 
big visible sign of these is extra auth challenges. Two are open against 
the 3.1 series.

Amos

> 2010/9/3 Diego Woitasen<diegows@xxxxxxxxxxxx>:
> > On Fri, Sep 3, 2010 at 8:54 AM, c0re<nr1c0re@xxxxxxxxx>  wrote:
> > > I found strange solution:
> > > stop squid&windbind
> > > rm -rf /var/db/samba/winbindd_privileged
> > > start winbind
> > > chown :squid /var/db/samba/winbindd_privileged
> > >
> > > And problem disappeared.
> > >
> > > 2010/9/1 c0re<nr1c0re@xxxxxxxxx>:
> > > > Hello squid users!
> > > >
> > > > I've got squid+winbind ntlm auth.
> > > > But sometimes I see this in log /var/log/samba/log.winbindd
> > > >
> > > > [2010/09/01 12:39:11,  2] winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754)
> > > >    winbindd_pam_auth_crap: non-privileged access denied.  !
> > > >    winbindd_pam_auth_crap: Ensure permissions on
> > > > /var/db/samba/winbindd_privileged are set correctly.
> > > >
> > > > About 1k users.
> > > > Sometimes some user can see proxy auth window asking for credentials in IE6.
> > > > User can just press ESC and do not enter any credentials, all goes OK.
> > > > That window means that some ntlm auth problem occurs.
> > > > In log I see only those message above about winbindd_privileged.
> > > >
> > > > freebsd 7.3
> > > > squid 3.1.7
> > > > samba-3.3.10
> > > >
> > > > In squid.conf
> > > > no cache_effective_group option configured
> > > > auth_param ntlm program /usr/local/bin/ntlm_auth
> > > > --helper-protocol=squid-2.5-ntlmssp
> > > > auth_param ntlm children 150
> > > >
> > > > Using cachemgr.cgi and looking at "NTLM User Authenticator Stats" I
> > > > see only 32 redirectors has changed "# Request" counters, that means
> > > > that not all 150 redirectors used so it's not redirector problem.
> > > >
> > > > # ls -l /var/db/samba/ | grep winbindd_privileged
> > > > drwxrwx---  2 root  squid     512 Aug 22 13:58 winbindd_privileged
> > > >
> > > > # ls -l /var/db/samba/winbindd_privileged/
> > > > srwxrwxrwx  1 root  squid  0 Aug 22 13:58 pipe
> > > >
> > > > What can be wrong? If there were incorrect permissions no one can auth
> > > > via ntlm, but all users can authorize and walk in internet. I can't
> > > > find why sometime those auth window appears and why those message
> > > > about "permissions" appears in log.
> > > >
> > > > Thanks in advance!
> >
> > That's not the correct solution. The squid user should be member of
> > the group winbindd_priv and you have to remove the
> > cache_effective_group from squid.conf.
> >
> > Regards,
> >   Diego
> >
> >
> >
> > --
> > Diego Woitasen
> > XTECH


--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.8
  Beta testers wanted for 3.2.0.2