[Pkg-samba-maint] Bug#754339: winbind: ntlm_auth not working due to winbindd_privileged directory problem

Jim Barber jim.barber at ddihealth.com
Thu Jul 10 02:31:27 UTC 2014 

Package: winbind
Version: 2:4.1.9+dfsg-1
Severity: normal

Dear Maintainer,

I am setting up a Squid3 server using winbind and ntlm_auth to authenticate
users.

I have successfully done this before with a much older version of Debian.
But with the new version I was having issues.

I have winbind working properly.
I have added the 'proxy' user to the 'winbindd_priv' group.
I have the following auth_param config in the /etc/squid3/squid.conf file:

   auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
   auth_param ntlm children 256 startup=0 idle=1

When using the proxy with a Firefox browser, a window popped up asking for
credentials.
After entering them, I am re-prompted to enter them over and over.
The error in the /var/log/squid3/cache.log is:

   ERROR: NTLM Authentication validating user. Error returned 'BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL'

Eventually I tracked the cause down to the following:

I was (incorrectly) assuming that the /run/samba/winbindd_privileged directory
was being used by ntlm_auth.
This directory is set up by the /etc/init.d/winbind script and looks like so:

   drwxr-x--- 2 root winbindd_priv 40 Jul  9 10:58 /run/samba/winbindd_privileged

But the contents of this directory is empty:

   # ls -l /run/samba/winbindd_privileged/
   total 0

Instead, there is another directory that I found like so:

   drwxr-x--- 2 root root 4096 Jul 10 11:44 /var/lib/samba/winbindd_privileged

This directory contains the socket file needed:

   # ls -l /var/lib/samba/winbindd_privileged/
   total 0
   srwxrwxrwx 1 root root 0 Jul 10 11:44 pipe

I corrected the group permission on the directory so it looks like:

   drwxr-x--- 2 root winbindd_priv 4096 Jul 10 11:44 /var/lib/samba/winbindd_privileged

I restarted squid, and authentication started working correctly.

So the problem is there is both the following directories:

   /run/samba/winbindd_privileged
   /var/lib/samba/winbindd_privileged

Only the second one is where the socket is created.
But the second one has the wrong group permissions on it to enable access
by adding appropriate uses to the winbindd_priv group.

I'm not sure what the correct fix is.

I guess either /var/lib/samba/winbindd_privileged should be a symlink to
/run/samba/winbindd_privileged instead of being a directory.

Or all winbind products need to be correctly configured (at compile time?)
to use /run/samba/winbindd_privileged and then remove the
/var/lib/samba/winbindd_privileged directory.

Or something else of your choosing.

Jim.


-- System Information:
Debian Release: jessie/sid
   APT prefers testing
   APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages winbind depends on:
ii  libbsd0             0.6.0-2
ii  libc6               2.19-4
ii  libcomerr2          1.42.10-1.1
ii  libkrb5-26-heimdal  1.6~rc2+dfsg-7
ii  libldap-2.4-2       2.4.39-1
ii  libpopt0            1.16-8
ii  libtalloc2          2.1.1-1
ii  libtdb1             1.3.0-1.1
ii  libtevent0          0.9.21-1
ii  libwbclient0        2:4.1.9+dfsg-1
ii  multiarch-support   2.19-4
ii  samba               2:4.1.9+dfsg-1
ii  samba-libs          2:4.1.9+dfsg-1

winbind recommends no packages.

Versions of packages winbind suggests:
ii  libnss-winbind  2:4.1.9+dfsg-1
ii  libpam-winbind  2:4.1.9+dfsg-1

-- no debconf information

More information about the Pkg-samba-maint mailing list