ntml winbindd_privileged permission issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ntml winbindd_privileged permission issue

Max Ashton

Hi guys,

 

I have just configured our squid proxy to use ntlm authentication.

 

I am failing to find correct file permission for the /var/lib/samba/winbindd_privileged folder. Squid failed to authenticate using winbind when the following file permissions are set 750, I get the following error in the log.

 

NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL;

 

If I then change the permissions on winbindd_privileged to 757 everything works fine. However, this is not good practice and if the server restarts then winbind fails to start throwing the error “incorrect permissions set, 757 should be 750”. Changing the permissions back allows winbind to start but squid then stops authenticating.

 

My first though is that the squid user is not in the correct group, so I add the proxy user into the winbindd_priv group using

 

sudo usermod -a -G winbindd_priv proxy

 

Check this with members winbindd_priv, indeed proxy is a member.

 

I then check that winbindd_priv is the assigned group for the folder, first I

 

Sudo chown root:winbindd_priv /var/lib/samba/winbindd_privileged/

 

to assigns it.

 

Then

 

Sudo ls -l root:winbindd_priv /var/lib/samba

 

drwxr-x---  2 root winbindd_priv    4096 Jul 27 15:27 winbindd_privileged

 

It appears my proxy is not running as the “proxy” user ( I compiled squid with  --with-default-user=proxy \)

 

As a note I have tried adding every user to winbindd_priv, same issue occurs.

 

Any ideas or suggestions on how I can get ntlm working without the 777 file permission would be great

 

Kind Regards

Max Ashton

JJO plc IT

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ntml winbindd_privileged permission issue

dijxie
On 2017-07-27 18:15, Max Ashton wrote:
Hi guys,

I have just configured our squid proxy to use ntlm authentication.

I am failing to find correct file permission for the /var/lib/samba/winbindd_privileged folder. Squid failed to authenticate using winbind when the following file permissions are set 750, I get the following error in the log.

NTLM Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL;

If I then change the permissions on winbindd_privileged to 757 everything works fine. However, this is not good practice and if the server restarts then winbind fails to start throwing the error "incorrect permissions set, 757 should be 750". Changing the permissions back allows winbind to start but squid then stops authenticating.

My first though is that the squid user is not in the correct group, so I add the proxy user into the winbindd_priv group using

sudo usermod -a -G winbindd_priv proxy

Check this with members winbindd_priv, indeed proxy is a member.

I then check that winbindd_priv is the assigned group for the folder, first I

Sudo chown root:winbindd_priv /var/lib/samba/winbindd_privileged/

to assigns it.

Then

Sudo ls -l root:winbindd_priv /var/lib/samba

drwxr-x---  2 root winbindd_priv    4096 Jul 27 15:27 winbindd_privileged

It appears my proxy is not running as the "proxy" user ( I compiled squid with  --with-default-user=proxy \)

As a note I have tried adding every user to winbindd_priv, same issue occurs.

Any ideas or suggestions on how I can get ntlm working without the 777 file permission would be great

Kind Regards
Max Ashton
JJO plc IT




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

So what user are your squid running as?
There is a config directive "cache_effective_user" - http://www.squid-cache.org/Doc/config/cache_effective_user/
On centOS, squid is running as 'squid' by default; adding squid to group 'wbpriv' - default centOS-winbind group - allows to run NTLM/negotiate authenticator without issue.

What OS? Is selinux enabled and enforcing policy applied?
-- 
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ntml winbindd_privileged permission issue

Amos Jeffries
Administrator
On 28/07/17 05:16, Dijxie wrote:
> On 2017-07-27 18:15, Max Ashton wrote:
>> Hi guys,
>>
>> I have just configured our squid proxy to use ntlm authentication.
>>
>> I am failing to find correct file permission for the /var/lib/samba/winbindd_privileged folder. Squid failed to authenticate using winbind when the following file permissions are set 750, I get the following error in the log.

Leave the privileges of that folder alone.

The correct setup for Squid is detailed at
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users