RE: [squid-users] winbind directories permissions issue

From: <vincent.blondel_at_ing.be>
Date: Mon, 8 Dec 2008 10:00:08 +0100

>>>>> Hello all,
>>>>>
>>>>> I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4
>>>>> running on Solaris 8 with Samba 3.0.32. My clients are essentially
>>>>> running Windows XP SP2 with IE6.
>>>>>
>>>>> authentication scheme is exclusively based on ntlm so this is the
>>> reason
>>>>> why winbindd is also running, smbd and nmbd are not running
because I
>>>>> think this is not needed.
>>>>>
>>>>> this is all working fine but I randomly get thousands of lines
>>> appearing
>>>>> in cache.log file .. see below what I get.
>>>>>
>>>>> [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515)
>>>>> Login for user [DOMAIN]\[user]@[desktop] failed due to [winbind
>>> client
>>>>> not authorized to use winbindd_pam_auth_crap. Ensure permissions
on
>>>>> /var/l
>>>>> ib/samba/winbindd_privileged are set correctly.]
>>>>>
>>>>> process squid is running as user squid and group squidg so afaik
>>>>> permissions below are correct ..
>>>>>
>>>>> 342924 1 drwxr-x--- 5 root squidg 512 Dec 4 03:36
>>>>> /var/lib/samba
>>>>> 354946 1 drwxr-x--- 4 root squidg 512 Nov 18 01:34
>>>>> /var/lib/samba/locks
>>>>> 360979 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34
>>>>> /var/lib/samba/locks/printing
>>>>> 366989 1 drwxr-x--- 2 root squidg 512 Nov 18 01:34
>>>>> /var/lib/samba/locks/winbindd_privileged
>>>>> 342930 8 -rw-r----- 1 root squidg 8192 Dec 4 03:37
>>>>> /var/lib/samba/gencache.tdb
>>>>> 342932 1 -rw-r----- 1 root squidg 696 Nov 18 01:34
>>>>> /var/lib/samba/idmap_cache.tdb
>>>>> 342933 1 -rw-r----- 1 root squidg 696 Dec 3 17:35
>>>>> /var/lib/samba/messages.tdb
>>>>> 342935 56 -rw------- 1 root root 57344 Dec 3 17:36
>>>>> /var/lib/samba/winbindd_cache.tdb
>>>>> 342936 29752 -rw-r----- 1 root squidg 30441472 Dec 4
09:58
>>>>> /var/lib/samba/netsamlogon_cache.tdb
>>>>> 138380 1 drwxr-x--- 2 root squidg 512 Dec 3 17:35
>>>>> /var/lib/samba/winbindd_privileged
>>>>> 138381 0 srwxrwxrwx 1 root root 0 Dec 3 17:35
>>>>> /var/lib/samba/winbindd_privileged/pipe
>>>>> 222599 1 drwxr-x--- 2 root squidg 512 Dec 4 03:36
>>>>> /var/lib/samba/smb_krb5
>>>>> 342937 1 -rw-r--r-- 1 root root 268 Dec 4 03:36
>>>>> /var/lib/samba/smb_krb5/krb5.conf.EUROPE
>>>>>
>>>>> I did not find any explanation right now except applying same
>>> security
>>>>> settings on directories again and reloading process squid.
>>>>>
>>>>> We are already running squid more than 3 years and never got the
>>> problem
>>>>> before ..
>>>>>
>>>>> Can somebody really help me because each time we encounter this
issue
>>>>> hundreds of my users are impacted.
>>>>>
>>>>> many thanks for your help.
>>>> Please first ensure that you DO NOT have cache_effective_group
>>>> configured in your squid.conf.
>>>> All squid group settings under this setup need to be OS-defined
>>>> correctly and working properly that way.
>>>
>>> yes sure I get 'cache_effective_user squid' & 'cache_effective_group
>>> squidg' configured in squid config file ... this was alaways so ..
>>>
>>> is there a specific issue with it ??
>>
>>The squid.conf configured group forces override of any OS settings
from
>>squid point of view. Particularly to the effect of erasing membership
of
>>secondary groups and group aliases. Winbind only obeys and verifies
>>against the OS settings, so there is a high likelyhood that your issue
>>is a mismatch between the privileges seen by squid with group
configured
>>and the system settings.
>>
>>effective_group may have been needed in 2.5 and earlier and before we
>>sorted out the winbind privileges system. But has really been obsolete
>>since group membership was fixed in Squid-2.6.
>>
>
>Amos,
>
>many thks for your help .. I made the change yesterday morning and
seems to be okay till now.
>
>I keep you informed later if this stays as is.

I am back, sorry but the problem is happening again .... do you get some
other ideas because this is becoming a real big issue here .. thks.

>
>>Amos
>>--
>>Please be using
>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
>> Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Received on Mon Dec 08 2008 - 09:00:25 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 09 2008 - 12:00:01 MST