Red Hat Bugzilla – Bug 252197
Squid NTLM authentication fails due to incorrect default for cache_effective_group
Last modified: 2016-07-26 19:46:30 EDT
Description of problem: Squid NTLM authentication doesn't work. Users with valid credentials fail to authenticate. The following error is logged to cache.log: Login for user [domain]\[user]@[workstation] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.] The problem can be traced to the following. NTLM authentication helper ntlm_auth (from samba-common package) runs as squid user. It needs access to winbind privileged pipe at /var/lib/samba/winbindd_privileged. Access to this path is allowed to wbpriv group memebers only. Squid user is a member of this group, however, when squid process drops root privileges and becomes squid user, the user's supplementary groups are not initialized. Why supplementary groups are not initialized: squid only does it when cache_effective_group config parameter is not given. In squid's default configuration this parameter is not set and has no default. However, Fedora's patch squid-2.5.STABLE11-config.patch makes squid group the default value. Once the default value is set, there's no way to unset it. Thus squid is always running as squid group member, with no supplementary groups. And failing to enable wbpriv supplementary group membership causes NTLM auth to fail. Version-Release number of selected component (if applicable): squid-2.6.STABLE13-1.fc7 samba-common-3.0.25b-2.fc7 How reproducible: Always Steps to Reproduce: 1. Configure squid to use NTLM authentication. Have the following in squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on Only the first line is important here. 2. Configure squid to require NTLM auth. Have the following in squid.conf: acl auth proxy_auth REQUIRED http_access allow auth 3. Install and configure samba. Join the computer to a Windows domain. Start winbind. 4. Configure Internet Explorer to use squid as its proxy. Open any site. Actual results: Internet explorer shows login/password dialog. If the user enters his/her valid Windows credentials, the same dialog appears again. The following error is logged to cache.log: Login for user [domain]\[user]@[workstation] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.] Expected results: Authentication proceeds transparently and the browser opens the web site without asking for credentials. Additional info: 1. Modifying the squid-2.5.STABLE11-config.patch patch so that cache_effective_group defaults to none (as in the original squid distribution) solves the problem. 2. Make sure to disable SELinux or have selinux-policy 2.6.4-34 or later, otherwise SELinux bug prevents squid from starting NTLM auth helpers altogether.
There is a workaround available for systems using ACL: setfacl -m u:squid:rx /var/lib/samba/winbindd_privileged
Will be fixed in squid-3.0.STABLE2-1.fc9
squid-2.6.STABLE17-2.fc8 has been submitted as an update for Fedora 8
squid-2.6.STABLE16-3.fc7 has been submitted as an update for Fedora 7
Correction: this is already fixed in squid-3.0.STABLE1-3.fc9
squid-2.6.STABLE17-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
squid-2.6.STABLE16-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Installed squid-2.6.STABLE16-4.fc7 on Fedora 7, the issue is fixed. Thank you!
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping