RE: [squid-users] winbind directories permissions issue

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 18 Dec 2008 15:04:14 +1300 (NZDT)

>
>>
>>>> ...
>>>> Amos
>>>>
>>>> I made some cut from our previous posts to avoid any confusion.
>>>>
>>>>>
>>>>> Sorry I haven't had much to do with winbind than we have already
> tried.
>>>>> you are the first I've seen where these fixes have not worked.
>>>>>
>>>>> Can you get a full "ls -la" trace of the directory content and
>>>> permissions
>>>>> at a time where it's working, and one where its not? Also a list of
> the
>>>>> squid user name and the groups names it belongs to.
>>>>>
>>>>
>>>> $ egrep 'squid|winbin' /etc/passwd /etc/group
>>>> /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh
>>>> /etc/group:squidg::1560:
>>>> /etc/group:winbind::2222:squid
>>>>
>>>> Below what happended on one of my machine .. sbepskdd.
>>>>
>>>> some minutes before the bug occured ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 121612
>>>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 .
>>>> 330886 drwxr-xr-x 5 0 0 512 Nov 17 19:39 ..
>>>> 162448 -rw-r----- 1 0 2222 8192 Dec 15 04:14
>>>> gencache.tdb
>>>> 162450 -rw-r----- 1 0 2222 696 Nov 17 19:39
>>>> idmap_cache.tdb
>>>> 168469 drwxr-x--- 4 0 2222 512 Nov 17 19:39
> locks
>>>> 162451 -rw-r----- 1 0 2222 8192 Dec 14 22:06
>>>> messages.tdb
>>>> 162454 -rw-r----- 1 0 2222 62144512 Dec 15 08:41
>>>> netsamlogon_cache.tdb
>>>> 54155 drwxr-x--- 2 0 2222 512 Dec 15 04:14
>>>> smb_krb5
>>>> 162453 -rw------- 1 0 0 57344 Nov 25 06:49
>>>> winbindd_cache.tdb
>>>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 .
>>>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 ..
>>>> 451223 srwxrwxrwx 1 0 0 0 Nov 25 06:47
> pipe
>>>>
>>>> when SQUID is still running but the bug is happening ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 122140
>>>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 .
>>>> 330886 drwxr-xr-x 5 0 0 512 Nov 17 19:39 ..
>>>> 162448 -rw-r----- 1 0 2222 8192 Dec 15 04:14
>>>> gencache.tdb
>>>> 162450 -rw-r----- 1 0 2222 696 Nov 17 19:39
>>>> idmap_cache.tdb
>>>> 168469 drwxr-x--- 4 0 2222 512 Nov 17 19:39
> locks
>>>> 162451 -rw-r----- 1 0 2222 8192 Dec 14 22:06
>>>> messages.tdb
>>>> 162454 -rw-r----- 1 0 2222 62414848 Dec 15 10:04
>>>> netsamlogon_cache.tdb
>>>> 54155 drwxr-x--- 2 0 2222 512 Dec 15 04:14
>>>> smb_krb5
>>>> 162453 -rw------- 1 0 0 57344 Nov 25 06:49
>>>> winbindd_cache.tdb
>>>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 .
>>>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 ..
>>>> 451223 srwxrwxrwx 1 0 0 0 Nov 25 06:47
> pipe
>>>>
>>>> just after restart of SQUID process ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 122140
>>>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 .
>>>> 330886 drwxr-xr-x 5 0 0 512 Nov 17 19:39 ..
>>>> 162448 -rw-r----- 1 0 2222 8192 Dec 15 04:14
>>>> gencache.tdb
>>>> 162450 -rw-r----- 1 0 2222 696 Nov 17 19:39
>>>> idmap_cache.tdb
>>>> 168469 drwxr-x--- 4 0 2222 512 Nov 17 19:39
> locks
>>>> 162451 -rw-r----- 1 0 2222 8192 Dec 14 22:06
>>>> messages.tdb
>>>> 162454 -rw-r----- 1 0 2222 62414848 Dec 15 10:04
>>>> netsamlogon_cache.tdb
>>>> 54155 drwxr-x--- 2 0 2222 512 Dec 15 04:14
>>>> smb_krb5
>>>> 162453 -rw------- 1 0 0 57344 Nov 25 06:49
>>>> winbindd_cache.tdb
>>>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>> 451222 drwxr-x--- 2 0 2222 512 Nov 25 06:47 .
>>>> 162445 drwxr-x--- 5 0 2222 512 Dec 15 04:14 ..
>>>> 451223 srwxrwxrwx 1 0 0 0 Nov 25 06:47
> pipe
>>>>
>>>> Now another notice, I made a change last tuesday on another SQUID
> server
>>>> and this seems working almost one week ..
>>>>
>>>> $ ls -nai /var/lib/samba
>>>> total 78156
>>>> 342924 drwxr-xr-x 5 0 2222 512 Dec 15 04:22 .
>>>> 66177 drwxr-xr-x 5 0 0 512 Nov 18 01:34 ..
>>>> 342930 -rw-r--r-- 1 0 2222 8192 Dec 15 04:22
>>>> gencache.tdb
>>>> 342932 -rw-r--r-- 1 0 2222 696 Nov 18 01:34
>>>> idmap_cache.tdb
>>>> 354946 drwxr-xr-x 4 0 2222 512 Nov 18 01:34
> locks
>>>> 342933 -rw-r--r-- 1 0 2222 8192 Dec 13 22:06
>>>> messages.tdb
>>>> 342936 -rw-r--r-- 1 0 2222 39903232 Dec 15 10:20
>>>> netsamlogon_cache.tdb
>>>> 222599 drwxr-xr-x 2 0 2222 512 Dec 15 04:22
>>>> smb_krb5
>>>> 342934 -rw------- 1 0 0 57344 Dec 9 10:44
>>>> winbindd_cache.tdb
>>>> 138380 drwxr-x--- 2 0 2222 512 Dec 9 10:39
>>>> winbindd_privileged
>>>>
>>>> $ ls -nai /var/lib/samba/winbindd_privileged
>>>> total 4
>>>> 138380 drwxr-x--- 2 0 2222 512 Dec 9 10:39 .
>>>> 342924 drwxr-xr-x 5 0 2222 512 Dec 15 04:22 ..
>>>> 138381 srwxrwxrwx 1 0 0 0 Dec 9 10:39
> pipe
>>>>
>>>> I do not understand anything, maybe situation is more clear for you
> ..
>>>>
>>>> Hope some good news from you ..
>>>>
>>>
>>>
>>>Sigh, oh dear. sorry no good news. Nothing visible in that trace. I
> was
>>>hoping it would be clear like squid or winbind setting one of the
>>>privileges to root when it shouldn't.
>>>
>>>You said earlier "process squid is running as user squid and group
>>>squidg so afaik permissions below are correct .."
>>>
>>>You did mean squid starts as root and then sets itself to
>>>"cache_effective_user squid" and user squid is a member of group
> squidg,
>>>right?
>>>
>>
>>I just found another tip on the net by using setgid on ntlm_auth binary
> and winbind directory. I will try this tomorow morning .. see below ??
>>
>>chown -R root:winbind /var/lib/samba
>>find /var/lib/samba -type d -exec chmod 750 {} \;
>>find /var/lib/samba -type f -exec chmod 640 {} \;
>>chown root:winbind /usr/local/bin/ntlm_auth
>>chmod 2555 /usr/local/bin/ntlm_auth
>>chmod g+s /var/lib/samba/winbindd_privileged
>>
>>I just tried it on my dev machine and seems to work ..
>>
>>root_at_sbedskcq:/root# ls -la /usr/local/bin/ntlm_auth
>>-r-xr-sr-x 1 root winbind 1205548 Oct 15 20:05
> /usr/local/bin/ntlm_auth
>>
>>root_at_sbedskcq:/root# find /var/lib/samba -ls
>>78264 1 drwxr-x--- 4 root winbind 512 Dec 15 19:14
> /var/lib/samba
>>78244 24 -rw-r----- 1 root winbind 24576 Nov 18 15:48
> /var/lib/samba/gencache.tdb
>>78248 1 -rw-r----- 1 root winbind 696 Oct 29 07:10
> /var/lib/samba/idmap_cache.tdb
>>78250 1 -rw-r----- 1 root winbind 696 Dec 15 19:14
> /var/lib/samba/messages.tdb
>>78310 56 -rw------- 1 root other 57344 Dec 15 19:18
> /var/lib/samba/winbindd_cache.tdb
>>78297 112 -rw-r----- 1 root winbind 106496 Nov 18 19:04
> /var/lib/samba/netsamlogon_cache.tdb
>>288828 1 drwxr-s--- 2 root winbind 512 Dec 15 19:14
> /var/lib/samba/winbindd_privileged
>>288831 0 srwxrwxrwx 1 root winbind 0 Dec 15 19:14
> /var/lib/samba/winbindd_privileged/pipe
>>288830 1 drwxr-x--- 2 root winbind 512 Dec 15 19:14
> /var/lib/samba/smb_krb5
>>78309 1 -rw-r--r-- 1 root other 268 Dec 15 19:14
> /var/lib/samba/smb_krb5/krb5.conf.EUROPE
>>
>>root_at_sbedskcq:/root# ps -fu squid -o uid,gid,args
>> UID GID COMMAND
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 1560 diskd 27083780 27083781 27083782
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 1560 diskd 27083776 27083777 27083778
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 1560 (squid) -f /home/SQUID/etc/squid.conf.2.7.4 -D
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 1560 (unlinkd)
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 2222 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp
>> 1560 1560 /usr/local/sbin/squid -f /home/SQUID/etc/squid.conf.2.7.4
> -D
>>
>>I keep you informed.
>>
>
> So what's new ... very bad news! :(-
>
> So as mentionned, I tried the setgid winbind and this also not works BUT
> something interesting I also tried setuid root and this also fails so,
> as far as I can understand I think the problem is not coming from a lack
> of permission of ntlm_auth on /var/lib/samba/winbindd_privileged
> directory.
>
> In this context the problem is maybe not coming from SQUID but from
> SAMBA (ntlm_auth internal code) ...
>
> What do you think about it ??
>

I think asking them about it might be the next best bet.

Amos
Received on Thu Dec 18 2008 - 02:04:17 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 18 2008 - 12:00:03 MST