[Pkg-samba-maint] Bug#307257: samba & winbind 3 install not correct for squid

Jim Barber jim.barber at ddihealth.com
Thu Mar 1 23:08:53 CET 2007

In my investigations so far I don't believe this is going to work for some reason.
I believe the fault is possibly with squid rather than with winbind.

I spent days trying to get NTLM authentication working in squid using the /usr/bin/ntlm_auth program.
This was the only thing that failed; basic authentication; authentication via wbinfo -a; all worked fine.
I'm using squid_2.6.5-4 and winbind_3.0.24-2.

Squid on this box runs under the 'proxy' user id; so in theory all I needed to do was to add proxy to the winbindd_priv group.
Sure enough this allowed me to be able to use 'wbinfo -a user%passwd' when I su'ed to the 'proxy' user.
However ntlm_auth still failed from squid.

I found some interesting conclusions by messing around with the permissions of the /usr/bin/ntlm_auth program itself.
My first test was to make it SUID root. Yes, I know this is not wise, but it's a good test.
So the permissions looked like:

	-rwsr-xr-x 1 root root          968848 Feb  6 15:45 /usr/bin/ntlm_auth

After restarting squid this (predictably) allowed NTLM authentication to work.

My next test was to change the group of the file to winbinnd_priv and take world rx off (remembering to turn on the SUID bit again after the group change).
So now the permissions were:

	-rwsr-x--- 1 root winbindd_priv 968848 Feb  6 15:45 /usr/bin/ntlm_auth

The interesting thing here is that upon restarting squid, it failed to be able to run the ntlm_auth processes at all.
A 'groups proxy' command returned:

	proxy : proxy winbindd_priv

So it should be able to start the program in theory.
But what ever squid is doing when releasing its root privileges and switching over to the proxy user, seems to only be doing it at a primary group level and isn't taking into account and secondary groups that 'proxy' belongs to.

Finally as a compromise, and because I need to get NTLM working here at work I settled on using GUID instead.
So my permissions are:

	-rwxr-sr-x 1 root winbindd_priv 968848 Feb  6 15:45 /usr/bin/ntlm_auth

Still not the right solution I know; but gets me going with no risk of a local user being able to get root access by exploiting a bug (if any) in ntlm_auth.

So the interesting part is that squid doesn't seem to be picking up on the secondary groups.
There seems to be a number of setuid, seteuid, setreuid, etc and their equivalent gid system calls.
Perhaps squid is using the wrong one?

Jim Barber
DDI Health

More information about the Pkg-samba-maint mailing list