Re: [squid-users] Samba 3-ntlm_auth, Squid-2.5Stable4 and W2K3 Authentication options

From: Dave Augustus <[email protected]>
Date: 21 Nov 2003 07:26:21 -0600

Hello Henrik,

Ah ha! This is getting narrowed down.

I was puzzled as to why squid didn't crash during my latest attempts at
this project.

Your response to my made me wonder...

On Thu, 2003-11-20 at 19:06, Henrik Nordstrom wrote:
> On 20 Nov 2003, Dave Augustus wrote:
>
> > On the browser side, I got prompted for the username/password/domain but
> > always got denied after 3 times. Winbind log said:
> >
> > [2003/11/20 16:46:27, 2]
> > nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(222)
> > winbindd_pam_auth_crap: non-privileged access denied!
>
> I think this means you have not given Squid permission to use the
> privileged winbind pipe. This privileged pipe is only needed for NTLM
> authentication. The best way to set up such permissions is to create a
> UNIX group for the purpose, and assign the system users who should be
> allowed to talk directly to the privileged parts of winbind to this group.
>
> The Samba people thinks the low-level communication method used for NTLM
> authentication is too sensitive for the domain to allow any local
> application access to the function.
>
> Regards
> Henrik

You see, I had *done* this is the past, only this current build, I
forgot to change the permissions on /var/cache/samba/winbindd_privileged
to chown root.squid with 750 as the permissions. The only thing that was
strange was that squid didn't crash, it just refused access to the end
user.

This morning, I checked it and it was root.root and 750. Which *of
course* squid can't use. So I did chown root.squid and then tested again
and this time squid aborted!

OK, So now I set the number of ntlm_auth children to 1 so I can use
strace -p to see what is happening with that single process.

I restart squid, open my browser, hit google.com and squid crashes.
Geeeezzz, well at least this is consistent with what I saw previously.

And ntlm_auth provides the following output as it dies:

root@caleb /var/cache/samba> strace -p 1987
read(0,

"YR\n", 4096) = 3
time(NULL) = 1069420262
geteuid32() = 81
write(2, "[2003/11/21 07:11:02, 10] utils/"..., 71) = 71
geteuid32() = 81
write(2, " Got \'YR\' from squid (length: 2"..., 35) = 35
time(NULL) = 1069420262
geteuid32() = 81
write(2, "[2003/11/21 07:11:02, 10] utils/"..., 78) = 78
geteuid32() = 81
write(2, " got NTLMSSP packet:\n", 22) = 22
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
read(3, "\341\337\313,\332<\3\4", 8) = 8
uname({sys="Linux", node="caleb", ...}) = 0
gettimeofday({1069420262, 921369}, NULL) = 0
getpid() = 1987
open("/etc/resolv.conf", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4045f000
read(4, "search localdomain\n\nnameserver 6"..., 4096) = 71
read(4, "", 4096) = 0
close(4) = 0
munmap(0x4045f000, 4096) = 0
socket(PF_UNIX, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1712, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4045f000
read(4, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1712
read(4, "", 4096) = 0
close(4) = 0
munmap(0x4045f000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=16384, ...}) = 0
old_mmap(NULL, 16384, PROT_READ, MAP_PRIVATE, 4, 0) = 0x4045f000
close(4) = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\35\0"...,
512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=52472, ...}) = 0
old_mmap(NULL, 47068, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0x40463000
old_mmap(0x4046e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
4, 0xa000) = 0x4046e000
close(4) = 0
munmap(0x4045f000, 16384) = 0
open("/etc/host.conf", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=17, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4045f000
read(4, "order hosts,bind\n", 4096) = 17
read(4, "", 4096) = 0
close(4) = 0
munmap(0x4045f000, 4096) = 0
open("/etc/hosts", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=329, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4045f000
read(4, "# Do not remove the following li"..., 4096) = 329
close(4) = 0
munmap(0x4045f000, 4096) = 0
uname({sys="Linux", node="caleb", ...}) = 0
write(1, "TT TlRMTVNTUAACAAAAAAAAADAAAAACA"..., 68) = 68
time(NULL) = 1069420262
geteuid32() = 81
write(2, "[2003/11/21 07:11:02, 10] utils/"..., 78) = 78
geteuid32() = 81
write(2, " NTLMSSP challenge\n", 20) = 20
read(0, "KK TlRMTVNTUAADAAAAGAAYAFIAAAAYA"..., 4096) = 180
time(NULL) = 1069420262
geteuid32() = 81
write(2, "[2003/11/21 07:11:02, 10] utils/"..., 71) = 71
geteuid32() = 81
write(2, " Got \'KK TlRMTVNTUAADAAAAGAAYAF"..., 214) = 214
time(NULL) = 1069420263
geteuid32() = 81
write(2, "[2003/11/21 07:11:03, 10] utils/"..., 78) = 78
geteuid32() = 81
write(2, " got NTLMSSP packet:\n", 22) = 22
time(NULL) = 1069420263
geteuid32() = 81
write(2, "[2003/11/21 07:11:03, 10] lib/ut"..., 53) = 53
geteuid32() = 81
write(2, " [000] 4E 54 4C 4D 53 53 50 00 "..., 76) = 76
geteuid32() = 81
write(2, " [010] 52 00 00 00 18 00 18 00 "..., 76) = 76
geteuid32() = 81
write(2, " [020] 40 00 00 00 06 00 06 00 "..., 76) = 76
geteuid32() = 81
write(2, " [030] 4A 00 00 00 00 00 00 00 "..., 76) = 76
geteuid32() = 81
write(2, " [040] 42 55 47 53 53 55 52 46 "..., 76) = 76
geteuid32() = 81
write(2, " [050] 39 38 9E DE 60 1C C6 CC "..., 76) = 76
geteuid32() = 81
write(2, " [060] B8 44 EB 35 C1 75 17 AB "..., 76) = 76
geteuid32() = 81
write(2, " [070] 9B 40 20 D3 86 56 08 12 "..., 76) = 76
geteuid32() = 81
write(2, " [080] 19 3A 40 "..., 63) = 63
time(NULL) = 1069420263
geteuid32() = 81
write(2, "[2003/11/21 07:11:03, 3] libsmb/"..., 67) = 67
geteuid32() = 81
write(2, " Got user=[SURFER] domain=[BUGS"..., 73) = 73
getpid() = 1987
getpid() = 1987
getpid() = 1987
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...})
= 0
socket(PF_UNIX, SOCK_STREAM, 0) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_UNIX, path="/tmp/.winbindd/pipe"}, 110) = 0
getpid() = 1987
getpid() = 1987
select(5, [4], NULL, NULL, {0, 0}) = 0 (Timeout)
write(4, " \6\0\0\0\0\0\0\303\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1568) = 1568
read(4, "\24\5\0\0\1\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1300) = 1300
getpid() = 1987
getpid() = 1987
select(5, [4], NULL, NULL, {0, 0}) = 0 (Timeout)
write(4, " \6\0\0(\0\0\0\303\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1568) = 1568
read(4, "9\5\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1300) = 1300
read(4, "/var/cache/samba/winbindd_privil"..., 37) = 37
lstat64("/var/cache/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
st_size=4096, ...}) = 0
lstat64("/var/cache/samba/winbindd_privileged/pipe",
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_UNIX, SOCK_STREAM, 0) = 5
fcntl64(5, F_GETFD) = 0
fcntl64(5, F_SETFD, FD_CLOEXEC) = 0
connect(5, {sa_family=AF_UNIX,
path="/var/cache/samba/winbindd_privileged/pipe"}, 110) = 0
close(4) = 0
select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout)
write(5, " \6\0\0\r\0\0\0\303\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1568) = 1568
read(5, "\24\5\0\0\1\0\0\0\0\0\0\0NT_STATUS_OK\0\0\0\0\0\0\0\0"...,
1300) = 1300
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

Sorry for these lengthy posts but I figure the more details we can
document the easier it will be to fix.

Thanks Again,

Dave Augustus
Received on Fri Nov 21 2003 - 06:26:23 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:32 MST