[squid-users] Again with winbindd_privileged, sometimes "Ensure permissions on /var/db/samba/winbindd_privileged are set correctly"

From: c0re <nr1c0re_at_gmail.com>
Date: Wed, 1 Sep 2010 13:38:49 +0400

Hello squid users!

I've got squid+winbind ntlm auth.
But sometimes I see this in log /var/log/samba/log.winbindd

[2010/09/01 12:39:11,  2] winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754)
  winbindd_pam_auth_crap: non-privileged access denied.  !
  winbindd_pam_auth_crap: Ensure permissions on
/var/db/samba/winbindd_privileged are set correctly.

About 1k users.
Sometimes some user can see proxy auth window asking for credentials in IE6.
User can just press ESC and do not enter any credentials, all goes OK.
That window means that some ntlm auth problem occurs.
In log I see only those message above about winbindd_privileged.

freebsd 7.3
squid 3.1.7
samba-3.3.10

In squid.conf
no cache_effective_group option configured
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 150

Using cachemgr.cgi and looking at "NTLM User Authenticator Stats" I
see only 32 redirectors has changed "# Request" counters, that means
that not all 150 redirectors used so it's not redirector problem.

# ls -l /var/db/samba/ | grep winbindd_privileged
drwxrwx---  2 root  squid     512 Aug 22 13:58 winbindd_privileged

# ls -l /var/db/samba/winbindd_privileged/
srwxrwxrwx  1 root  squid  0 Aug 22 13:58 pipe

What can be wrong? If there were incorrect permissions no one can auth
via ntlm, but all users can authorize and walk in internet. I can't
find why sometime those auth window appears and why those message
about "permissions" appears in log.

Thanks in advance!
Received on Wed Sep 01 2010 - 09:38:56 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 01 2010 - 12:00:03 MDT