[Pkg-samba-maint] Bug#307257: About winbind 3 and squid with ntlm
authentication (Debian Bug #307257)
jim.barber at ddihealth.com
Thu May 10 00:30:11 UTC 2007
I've just given it a go by taking the SGID bit back off the /usr/bin/ntlm_auth binary commenting out the cache_effective_group setting and restarting squid.
It all works properly.
Back when I upgraded squid from an older version (2.4.x?) to 2.5.x the configuration file had changed enough that I had to redo it.
I took the /usr/share/doc/squid/examples/squid.conf file as a starting point.
This example file has the 'cache_effective_group proxy' value uncommented.
I have no idea if a fresh new install of squid 2.5.x has this setting in the default config file it supplies, but I suspect it will as I seem to remember it was the same as the example file.
Because mine was an upgrade, the squid package didn't mess with my existing config.
This should probably be raised as a bug (wishlist?) with the squid maintainers to have this setting changed in the example file (and default config file if it's set) as it breaks the use of the winbindd_priv group.
Do one of you winbind maintainers want to do that, or do you want me to do it? :)
Thanks for that, I'll give it a go when I get a chance.
It looks like the approach of defining a winbindd_privileged group is fine then.
Luca Maranzano wrote:
> Issue: permissions on /var/run/samba/winbindd_privileged/ and
> /usr/bin/ntlm_auth for Squid
> I've faced this issue on my Debian 4.0 with winbind 3.0.24 and Squid
> 2.6.12 from testing.
> I've solved in this way:
> - added the proxy user to the winbindd_privileged group
> - in /etc/squid/squid.conf
> set "cache_effective_user proxy" but NOT "cache_effective_group proxy"
> since from the documentation of Squid:
> # TAG: cache_effective_group
> # If you want Squid to run with a specific GID regardless of
> # the group memberships of the effective user then set this
> # to the group (or GID) you want Squid to run as. When set
> # all other group privileges of the effective user is ignored
> # and only this GID is effective. If Squid is not started as
> # root the user starting Squid must be member of the specified
> # group.
> # cache_effective_group proxy
> So if you set this option the Squid process will lose supplementary
> group and will not have access to winbindd_privileged.
More information about the Pkg-samba-maint