[plug] winbind not working with squid

Bennett, Phillip Phillip.Bennett at bestroads.com.au
Tue Aug 30 10:46:58 WST 2005


Hi everyone,

Sorry in advance for the long post.  I just wanted to include all the
info I might need.  :)

I have been using Mandrake 2005 for the past 72 days with no trouble.
My server is a Dell P-III with 512MB RAM running postfix, ntp, named,
spamassassin, squid and samba.  This is mostly (but not completely)
managed by webmin.

Yesterday, I noticed it was low on memory and did a full service restart
to see if I could free anything up... I have done this before and
thought nothing of it.  However, it soon became apparent that squid
wouldn't give anyone any web pages.  It kept asking for a password to
access the cache.

After several hours of looking at logs, I have found that winbind is
suddenly not working anymore.  As far as I know, nothing had changed
between the service restarts...

Fortunately, I have a second box with roughly the same software
installed with which to do some experimenting.  I tried installing
winbind to see if I could replicate the error.  Unfortunately, it looks
exactly the same for this machine.  I don't know what has changed, and I
can't think what could possibly have gone wrong.

So far, I have installed and configured winbind.  wbinfo -t, -u and -g
all work fine.  I can even use samba to browse the shares on the server
with the correct permissions.

Here are the errors from the squid log file and /var/log/messages: 

/var/log/messages: 
Aug 30 10:03:31 brgsvr03 (ntlm_auth): [2005/08/30 10:03:31, 0]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
Aug 30 10:03:31 brgsvr03 (ntlm_auth):   NTLMSSP BH:
NT_STATUS_ACCESS_DENIED
Aug 30 10:03:31 brgsvr03 (ntlm_auth): [2005/08/30 10:03:31, 0]
utils/ntlm_auth.c:winbind_pw_check(427)
Aug 30 10:03:31 brgsvr03 (ntlm_auth):   Login for user
[BESTROADS]\[BENNETTP]@[BRGWS016] failed due to [winbind client not
authorized to use winbindd_pam_auth_crap.  Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly.]
Aug 30 10:03:31 brgsvr03 (ntlm_auth): [2005/08/30 10:03:31, 0]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
Aug 30 10:03:31 brgsvr03 (ntlm_auth):   NTLMSSP BH:
NT_STATUS_ACCESS_DENIED

I have no idea what the permissions _should_ be on
/var/cache/samba/winbindd_privileged, but I uninstalled (urpme) winbind,
then deleted this directory, then re-installed it.  It has re-created it
itself, so I have _not_ changed any permissions.

The relevant auth lines from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

And here is the log from squid: 
1125367404.038      0 192.168.1.116 TCP_DENIED/407 1691 GET
http://www.ii.net/ - NONE/- text/html
1125367404.094      2 192.168.1.116 TCP_DENIED/407 1761 GET
http://www.ii.net/ - NONE/- text/html
1125367404.097      2 192.168.1.116 TCP_DENIED/407 1691 GET
http://www.ii.net/ - NONE/- text/html

I have used google/linux, but there is very little in reference of these
errors.  Everything just assumes that winbind will work fine if wbinfo
gives good results.  The only page I could find that looked right was
the exact same error I had, but on an arabic-fonted mailing list.

Any help would be appreciated.

Thanks,
Phil.


Phillip Bennett

IT Support
Works Scheduler
Best Roads Group
Perth, WA
Ph. (08) 9248 9095



More information about the plug mailing list