Well, it appears that this is a known issue on Debian variants. Disabling the cache_effective_group setting seems to have fixed the issue. Got the idea from this thread: http://old.nabble.com/Bug-307257:-About-winbind-3-and-squid-with-ntlm-authe ntication-(Debian-Bug--307257)-td10390962.html Sorry for the clutter in the list, but maybe it helps someone else. Thanks, Chris Waters On 2/28/12 5:35 PM, "Chris Waters" <cwaters@xxxxxxxxxxxx> wrote: >Hello, > >I am in the process of building some test squid instances for possible >deployment and have come across an issue where the user squid runs under >seems not be allowed access to the winbind pipe when the user is in the >proper group. Here are the details: > >Ubuntu 11.04 >Squid 3.1.11 (from the natty repo) >Winbind 3.5.8 (from the natty repo) > >The server has pam configured and working for access with winbind though >the behavior seems to be the same with pam_winbind disabled. > >Here's what I see: >==> debug.log <== >[2012/02/28 16:53:28.521059, 0] utils/ntlm_auth.c:600(winbind_pw_check) > Login for user [DOMAIN]\[USER]@[HOST] failed due to [winbind client not >authorized to use winbindd_pam_auth_crap. Ensure permissions on >/var/run/samba/winbindd_privileged are set correctly.] >[2012/02/28 16:53:28.521059, 0] >utils/ntlm_auth.c:896(manage_squid_ntlmssp_request_int) > NTLMSSP BH: NT_STATUS_ACCESS_DENIED >2012/02/28 16:53:28| authenticateNTLMHandleReply: Error validating user >via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' > > >Squid runs as user proxy and is a member of the winbind_priv group: > >root@squid-1104:/var/log/squid3# ps -ef | grep squid3 >root 2991 1 0 16:39 ? 00:00:00 /usr/sbin/squid3 -YC -f >/etc/squid3/squid.conf >proxy 2993 2991 0 16:39 ? 00:00:00 (squid) -YC -f >/etc/squid3/squid.conf > > >winbindd_priv:x:112:proxy > >Privs on the directory: >drwxr-x--- 2 root winbindd_priv 60 2012-02-28 16:38 winbindd_privileged > >Here's the auth_param statements: >auth_param ntlm program /usr/bin/ntlm_auth >--helper-protocol=squid-2.5-ntlmssp >--require-membership-of="DOMAIN\\domain users" >auth_param ntlm children 25 > > >I have an Ubuntu 11.10 server with a similar configuration with the >exception that I am not using pam_winbind for authentication to the server >and squid is doing ntlm authentication for users just fine. I pulled the >squid configurations off the working Ubuntu server where I don't have this >issue. > >Has anyone seen this before and does anyone know how to fix it? I will >happily provide more detail as required. > >Thanks, > >Chris Waters
<<attachment: smime.p7s>>
