Hi!
I have a problem with the ntlm_auth helper (samba-3.0.2) under squid. I
got the following from the cache.log:
[2003/12/18 15:36:48, 10] utils/ntlm_auth.c:manage_squid_request(1114)
Got 'YR' from squid (length: 2).
[2003/12/18 15:36:48, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(362)
got NTLMSSP packet:
[2003/12/18 15:36:48, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(372)
NTLMSSP challenge
[2003/12/18 15:36:48, 10] utils/ntlm_auth.c:manage_squid_request(1114)
Got 'KK
TlRMTVNTUAADAAAAGAAYAFEAAAAYABgAaQAAAAcABwBAAAAABQAFAEcAAAAFAAUATAAAAA
AAAACBAAAABgIAAE5FQ1BISUxHVUVTVFRFRERZxsHZ3wmcQXsf/i6WpXC+ofVxwR7tpVD+cQtd5yW38y
COE3BYQou44IJIwwXAIJLO' from squid (length: 175).
[2003/12/18 15:36:48, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(362)
got NTLMSSP packet:
[2003/12/18 15:36:48, 10] lib/util.c:dump_data(1830)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.
........
[010] 51 00 00 00 18 00 18 00 69 00 00 00 07 00 07 00 Q.......
i.......
[020] 40 00 00 00 05 00 05 00 47 00 00 00 05 00 05 00 @.......
G.......
[030] 4C 00 00 00 00 00 00 00 81 00 00 00 06 02 00 00 L.......
........
[040] 4E 45 43 50 48 49 4C 47 55 45 53 54 54 45 44 44 NECPHILG
UESTTEDD
[050] 59 C6 C1 D9 DF 09 9C 41 7B 1F FE 2E 96 A5 70 BE Y......A
{.....p.
[060] A1 F5 71 C1 1E ED A5 50 FE 71 0B 5D E7 25 B7 F3 ..q....P
.q.].%..
[070] 20 8E 13 70 58 42 8B B8 E0 82 48 C3 05 C0 20 92 ..pXB.. ..H...
.
[080] CE .
[2003/12/18 15:36:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(609)
Got user=[GUEST] domain=[NECPHIL] workstation=[TEDDY] len1=24 len2=24
[2003/12/18 15:36:48, 0] utils/ntlm_auth.c:winbind_pw_check(325)
Login for user [NECPHIL]\[GUEST]@[TEDDY] failed due to [winbind client
not aut
horized to use winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/w
inbindd_privileged are set correctly.]
[2003/12/18 15:36:48, 0]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(375)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
squid.conf settings are:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d 10
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
I don't understand why it would complain about the winbindd_privileged
directory when I've changed the permissions to it as follows:
drwxr-x--- 2 root squid 72 Dec 18 14:54
winbindd_privileged/
I'm not sure what the line "not authorized to use
winbindd_pam_auth_crap"
means. I've searched with Google.com but still no solution. I guess this
is the place to go.
Other info: Distro TSL 2.0 on NEC Express5800 120 Lf (PIII 1.4 GHz, 256MB)
Regards,
Teddy Lim
NEC Philippines, Inc.
On Thu, 2003-12-18 at 19:18, teddy_lim@necph.nec.co.jp wrote:> Hi! > > I have a problem with the ntlm_auth helper (samba-3.0.2) under squid. I > got the following from the cache.log:> Login for user [NECPHIL]\[GUEST]@[TEDDY] failed due to [winbind client > not aut > horized to use winbindd_pam_auth_crap. Ensure permissions on > /var/cache/samba/w > inbindd_privileged are set correctly.] > [2003/12/18 15:36:48, 0] > utils/ntlm_auth.c:manage_squid_ntlmssp_request(375) > NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > squid.conf settings are: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp -d 10 > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutesJust checking - squid is running as user and group squid?> I don't understand why it would complain about the winbindd_privileged > directory when I've changed the permissions to it as follows: > > drwxr-x--- 2 root squid 72 Dec 18 14:54 > winbindd_privileged/This looks correct.> I'm not sure what the line "not authorized to use winbindd_pam_auth_crap" > means. I've searched with Google.com but still no solution. I guess this > is the place to go.It means something isn't right with those permissions. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20031225/2c23cbde/attachment.bin
Would is be possible to create a winbind group and add squid to the group, then change ownership on the winbind directory to root.winbind instead of root.squid? root.squid seems to work, but root.winbind not? am I missing something in the way that groups work on linux? Regards Rabie ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. **********************************************************************