I have Debian 8 Jessie with Samba configured as AD member server.
Samba+Winbind works perfectly: I can create shares and assign rights for AD users; getent passwd shows both local and AD users, etc.
Some additional checks like:
- net testjoin
- klist and klist -k /etc/krb5.keytab
- wbinfo -t
- wbinfo -a mydomain\myuser%mypasswd
- wbinfo -u
- /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-basic
all are succeded
Auth config in squid.conf (only lines related to question):
...
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 16 startup=5 idle=5
...
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
http_access deny all
...
I also added user proxy to winbindd_priv group (as mentioned here):
gpasswd -a proxy winbindd_priv
After restart Squid I get dialog asking username and password in browser (any browser).
When I set
cache_effective_group root
ntlm_auth works fine: no username and password dialog boxes, username is got automatically and displayed in access.log.
Auth does not work when I remove cache_effective_group.
It seems like ntlm_auth cannot connect to Winbind via privileged pipe when effective group is not root.
I tried some:
- change group ownership of /var/run/samba/winbind_privileged to proxy
- change permission of /var/run/samba/winbind_privileged to allow access to any user
- set cache_effective_group explicitly to winbindd_priv (and check it in process list)
- completely change group membership of proxy user to winbindd_priv
Nothing helped
Only "cache_effective_group root" helps
That is not a good idea for me to use root group for Squid.
What to check else to run it as unprivileged user?
Best Answer
I have found an answer by myself:
The real place for Winbind privileged pipe is /var/lib/samba/winbindd_privileged (NOT /var/run/samba/winbind_privileged)
In Jessie it owned by root:root and has rights: 0750
I've changed ownership:
Now everything works fine without "cache_effective_group"
PS. Finally there is a bug reported in 2014 :) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754339 that has not been fixed yet