Hello,
I am in the process of building some test squid instances for possible
deployment and have come across an issue where the user squid runs under
seems not be allowed access to the winbind pipe when the user is in the
proper group. Here are the details:
Ubuntu 11.04
Squid 3.1.11 (from the natty repo)
Winbind 3.5.8 (from the natty repo)
The server has pam configured and working for access with winbind though
the behavior seems to be the same with pam_winbind disabled.
Here's what I see:
==> debug.log <==
[2012/02/28 16:53:28.521059, 0] utils/ntlm_auth.c:600(winbind_pw_check)
Login for user [DOMAIN]\[USER]@[HOST] failed due to [winbind client not
authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly.]
[2012/02/28 16:53:28.521059, 0]
utils/ntlm_auth.c:896(manage_squid_ntlmssp_request_int)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2012/02/28 16:53:28| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
Squid runs as user proxy and is a member of the winbind_priv group:
root_at_squid-1104:/var/log/squid3# ps -ef | grep squid3
root 2991 1 0 16:39 ? 00:00:00 /usr/sbin/squid3 -YC -f
/etc/squid3/squid.conf
proxy 2993 2991 0 16:39 ? 00:00:00 (squid) -YC -f
/etc/squid3/squid.conf
winbindd_priv:x:112:proxy
Privs on the directory:
drwxr-x--- 2 root winbindd_priv 60 2012-02-28 16:38 winbindd_privileged
Here's the auth_param statements:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
--require-membership-of="DOMAIN\\domain users"
auth_param ntlm children 25
I have an Ubuntu 11.10 server with a similar configuration with the
exception that I am not using pam_winbind for authentication to the server
and squid is doing ntlm authentication for users just fine. I pulled the
squid configurations off the working Ubuntu server where I don't have this
issue.
Has anyone seen this before and does anyone know how to fix it? I will
happily provide more detail as required.
Thanks,
Chris Waters
This archive was generated by hypermail 2.2.0 : Wed Feb 29 2012 - 12:00:06 MST