Re: [squid-users] Occasional ntlm auth problems from Amos Jeffries on 2011-12-07 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 08 Dec 2011 12:34:17 +1300

On Wed, 7 Dec 2011 09:30:31 -0500, Robert Vaughan wrote:
> Hi,
>
> We're using Squid-2.5.STABLE14 and occasionally when we rotate logs
> (nightly event) something breaks in the squid->ntlm_auth->winbind
> chain
> such that users get prompted in their browsers to authenticate.
>
> In the cache log we see this error for each user:
>
> Login for user [domain]\[user]@[machine] failed due to [winbind
> client not
> authorized to use winbindd_pam_auth_crap. Ensure permissions on
> /appl/samba-3.2.10/var/locks/winbindd_privileged are set correctly.]
>
> The permissions are of course correct on the winbindd_privileged
> folder
> and the pipe (this works most of the time)
>
> drwxr-x--- 2 root squid 3 Dec 3 22:29
> /appl/samba/var/locks/winbindd_privileged
>
> srwxrwxrwx 1 root root 0 Dec 3 22:29 pipe
>
> Squid runs as effective user 'operator' which is in the 'squid'
> group.

This appears to be the old problem that winbind/Samba perform security
checks and reset their important security permissions at times.
/appl/samba/var/locks/winbindd_privileged being primary amongst those.

To fix that problem the Squid effective user needs to be a member of
the winbindd_priv group, with the
/appl/samba/var/locks/winbindd_privileged left at whatever Samba needs.
This prevents giving all software which uses winbindd_privileged
unsecured access to all Squid data and signalling operations, and leaves
Samba to maintain its own permissions properly.

Removing the cache_effective_group from squid.conf allows the OS
permissions system to assign Squid to multiple groups (its own 'squid'
group and the 'winbindd_priv' group) and is needed for this to work.

NOTE: if you are using a RHEL package this will fail whatever you
configure. Somebody at RHEL went and hard-coded a default group into
Squid. As of early this year it was still happening, I have no info on
the most recent package. To regain control over permissions you must
build your own Squid for RHEL.

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions

PS. Squid-2.5 was obsoleted over 5 years ago. Please consider
scheduling an upgrade.

Amos
Received on Wed Dec 07 2011 - 23:34:26 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 08 2011 - 12:00:02 MST