Bug 252197 - Squid NTLM authentication fails due to incorrect default for cache_effective_group
Squid NTLM authentication fails due to incorrect default for cache_effective_...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Martin Nagy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-14 13:52 EDT by Leonid Zeitlin
Modified: 2016-07-26 19:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-14 12:58:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Leonid Zeitlin 2007-08-14 13:52:36 EDT
Description of problem:
Squid NTLM authentication doesn't work. Users with valid credentials fail to 
authenticate. The following error is logged to cache.log:

Login for user [domain]\[user]@[workstation] failed due to [winbind client not 
authorized to use winbindd_pam_auth_crap. Ensure permissions 
on /var/lib/samba/winbindd_privileged are set correctly.]

The problem can be traced to the following. NTLM authentication helper 
ntlm_auth (from samba-common package) runs as squid user. It needs access to 
winbind privileged pipe at /var/lib/samba/winbindd_privileged. Access to this 
path is allowed to wbpriv group memebers only. Squid user is a member of this 
group, however, when squid process drops root privileges and becomes squid 
user, the user's supplementary groups are not initialized.

Why supplementary groups are not initialized: squid only does it when 
cache_effective_group config parameter is not given. In squid's default 
configuration this parameter is not set and has no default. However, Fedora's 
patch squid-2.5.STABLE11-config.patch makes squid group the default value. Once 
the default value is set, there's no way to unset it. Thus squid is always 
running as squid group member, with no supplementary groups. And failing to 
enable wbpriv supplementary group membership causes NTLM auth to fail.

Version-Release number of selected component (if applicable):
squid-2.6.STABLE13-1.fc7
samba-common-3.0.25b-2.fc7

How reproducible:
Always

Steps to Reproduce:
1. Configure squid to use NTLM authentication. Have the following in squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

Only the first line is important here.

2. Configure squid to require NTLM auth. Have the following in squid.conf:
acl auth proxy_auth REQUIRED
http_access allow auth 

3. Install and configure samba. Join the computer to a Windows domain. Start 
winbind.

4. Configure Internet Explorer to use squid as its proxy. Open any site.
  
Actual results:
Internet explorer shows login/password dialog. If the user enters his/her valid 
Windows credentials, the same dialog appears again. The following error is 
logged to cache.log:

Login for user [domain]\[user]@[workstation] failed due to [winbind client not 
authorized to use winbindd_pam_auth_crap. Ensure permissions 
on /var/lib/samba/winbindd_privileged are set correctly.]


Expected results:
Authentication proceeds transparently and the browser opens the web site 
without asking for credentials.

Additional info:
1. Modifying the squid-2.5.STABLE11-config.patch patch so that 
cache_effective_group defaults to none (as in the original squid distribution) 
solves the problem.
2. Make sure to disable SELinux or have selinux-policy 2.6.4-34 or later, 
otherwise SELinux bug prevents squid from starting NTLM auth helpers altogether.
Comment 1 Konstantin Zemlyak 2007-09-26 05:56:35 EDT
There is a workaround available for systems using ACL:

setfacl -m u:squid:rx /var/lib/samba/winbindd_privileged
Comment 2 Martin Nagy 2008-03-13 10:40:54 EDT
Will be fixed in squid-3.0.STABLE2-1.fc9
Comment 3 Fedora Update System 2008-03-13 10:42:59 EDT
squid-2.6.STABLE17-2.fc8 has been submitted as an update for Fedora 8
Comment 4 Fedora Update System 2008-03-13 10:43:47 EDT
squid-2.6.STABLE16-3.fc7 has been submitted as an update for Fedora 7
Comment 5 Martin Nagy 2008-03-13 10:45:13 EDT
Correction: this is already fixed in squid-3.0.STABLE1-3.fc9
Comment 6 Fedora Update System 2008-03-16 15:28:07 EDT
squid-2.6.STABLE17-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-03-16 15:28:52 EDT
squid-2.6.STABLE16-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Leonid Zeitlin 2008-04-02 11:55:14 EDT
Installed squid-2.6.STABLE16-4.fc7 on Fedora 7, the issue is fixed. Thank you!
Comment 9 Bug Zapper 2008-05-14 09:59:05 EDT
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.