Search squid archive

Re: Occasional ntlm auth problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 7 Dec 2011 09:30:31 -0500, Robert Vaughan wrote:

Hi,

We're using Squid-2.5.STABLE14 and occasionally when we rotate logs
(nightly event) something breaks in the squid->ntlm_auth->winbind chain 
such that users get prompted in their browsers to authenticate.

In the cache log we see this error for each user:
Login for user [domain]\[user]@[machine] failed due to [winbind client not 
authorized to use winbindd_pam_auth_crap. Ensure permissions on
/appl/samba-3.2.10/var/locks/winbindd_privileged are set correctly.]
The permissions are of course correct on the winbindd_privileged folder 
and the pipe (this works most of the time)

drwxr-x---   2 root     squid          3 Dec  3 22:29
/appl/samba/var/locks/winbindd_privileged

srwxrwxrwx   1 root     root           0 Dec  3 22:29 pipe
Squid runs as effective user 'operator' which is in the 'squid' group.
This appears to be the old problem that winbind/Samba perform security checks and reset their important security permissions at times. /appl/samba/var/locks/winbindd_privileged being primary amongst those.
To fix that problem the Squid effective user needs to be a member of the winbindd_priv group, with the /appl/samba/var/locks/winbindd_privileged left at whatever Samba needs. This prevents giving all software which uses winbindd_privileged unsecured access to all Squid data and signalling operations, and leaves Samba to maintain its own permissions properly.
Removing the cache_effective_group from squid.conf allows the OS permissions system to assign Squid to multiple groups (its own 'squid' group and the 'winbindd_priv' group) and is needed for this to work.
NOTE: if you are using a RHEL package this will fail whatever you configure. Somebody at RHEL went and hard-coded a default group into Squid. As of early this year it was still happening, I have no info on the most recent package. To regain control over permissions you must build your own Squid for RHEL. 


http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
PS. Squid-2.5 was obsoleted over 5 years ago. Please consider scheduling an upgrade. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux