Hello, I am in the process of building some test squid instances for possible deployment and have come across an issue where the user squid runs under seems not be allowed access to the winbind pipe when the user is in the proper group. Here are the details:
Ubuntu 11.04 Squid 3.1.11 (from the natty repo) Winbind 3.5.8 (from the natty repo) The server has pam configured and working for access with winbind though the behavior seems to be the same with pam_winbind disabled. Here's what I see: ==> debug.log <== [2012/02/28 16:53:28.521059, 0] utils/ntlm_auth.c:600(winbind_pw_check) Login for user [DOMAIN]\[USER]@[HOST] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly.] [2012/02/28 16:53:28.521059, 0] utils/ntlm_auth.c:896(manage_squid_ntlmssp_request_int) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2012/02/28 16:53:28| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' Squid runs as user proxy and is a member of the winbind_priv group: root@squid-1104:/var/log/squid3# ps -ef | grep squid3 root 2991 1 0 16:39 ? 00:00:00 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf proxy 2993 2991 0 16:39 ? 00:00:00 (squid) -YC -f /etc/squid3/squid.conf winbindd_priv:x:112:proxy Privs on the directory: drwxr-x--- 2 root winbindd_priv 60 2012-02-28 16:38 winbindd_privileged Here's the auth_param statements: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="DOMAIN\\domain users" auth_param ntlm children 25 I have an Ubuntu 11.10 server with a similar configuration with the exception that I am not using pam_winbind for authentication to the server and squid is doing ntlm authentication for users just fine. I pulled the squid configurations off the working Ubuntu server where I don't have this issue. Has anyone seen this before and does anyone know how to fix it? I will happily provide more detail as required. Thanks, Chris Waters
smime.p7s
Description: S/MIME cryptographic signature