RE: [squid-users] NTLM authentication not working with Squid 2.5 + Samba 3.0 after reading all the FAQs from Chavez Gutierrez, Freddy on 2004-02-24 (squid-users)

From: Chavez Gutierrez, Freddy <fchavez@dont-contact.us>
Date: Tue, 24 Feb 2004 16:53:48 -0500

Now it's working thanks to all of you guys.
In my case there were two issues to fix:

1. The permission on /var/cache/samba/winbind_privileged
#chmod 750 /var/cache/samba/winbind_privileged
#chgrp squid /var/cache/samba/winbind_privileged

2. The character separator is \ and not + so I changed this line:
    acl domain_admins proxy_auth mydomain+testuser
  with this one:
    acl domain_admins proxy_auth mydomain\testuser

Thank you very much.

Regards,
Freddy Chavez.

-----Mensaje original-----
De: Henrik Nordstrom [mailto:hno@squid-cache.org]
Enviado el: Tuesday, February 24, 2004 5:26 AM
Para: Daniel Meyer
CC: Henrik Nordstrom; Chavez Gutierrez, Freddy;
squid-users@squid-cache.org
Asunto: Re: [squid-users] NTLM authentication not working with Squid 2.5
+ Samba 3.0 after reading all the FAQs

On Tue, 24 Feb 2004, Daniel Meyer wrote:

> Guess i am missing something here.
>
> on my system the pipe has the following permissions:
>
> proxy:/var/locks/winbindd_privileged # ls -alp
> total 0
> drwxr-x--- 2 root root 72 Feb 24 10:52 ./
> drwxrwxrwx 4 root root 352 Feb 24 10:52 ../
> srwxrwxrwx 1 root root 0 Feb 24 10:52 pipe=
>
> If i try to change the permissions of the directory itself, so that
> the squid user can access it, winbindd fails to start:
>
> proxy:/var/locks # winbindd -i
> winbindd version 3.0.2 started.
> Copyright The Samba Team 2000-2004
> Added domain whatever whatever.Lokal
S-1-5-21-3284267766-540466896-523501128
> invalid permissions on socket directory /var/locks/winbindd_privileged
> open_winbind_socket: No such file or directory
>
> Doesnt matter if i try to change owner/group, or just the rwx
> permissions for owner/group/all...

Only root should have w. The other users who should be allowed to access
this directory should have x and optionally r.

Recommended method is to create a group for winbind authentication and
make sure all services requiring this interface (i.e. Squid) is running
with this group.

chgrp winbind /path/to/winbindd_privileged
chmod 750 /path/to/winbindd_privileged (if you have changed the
permissions)

change Squid to run with group winbind

Or if access to the OS of your server is restricted you can take the easy
path out and allow all users access to winbindd_privileged

chmod 755 /path/to/winbindd_privileged

Regards
Henrik
Received on Tue Feb 24 2004 - 14:52:55 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST