From: Grigory Batalov <grisxa@mail.ru>
To: sisyphus@altlinux.ru
Subject: Re: [sisyphus] Re: I: new samba3 build
Date: Tue, 29 Apr 2003 08:30:43 +0400
Message-ID: <20030429083043.0591a12d.grisxa@mail.ru> (raw)
In-Reply-To: <20030428132431.GC15082@sam-solutions.net>
On Mon, 28 Apr 2003 16:24:31 +0300
Alexander Bokovoy <a.bokovoy@sam-solutions.net> wrote:
> > auth_param ntlm program /usr/bin/ntlm_auth -d 31 --helper-protocol=squid-2.5-ntlmssp
> >
> > На попытку аутентифицироваться в логах было неизменное
> > NT_..._ACCESS_DENIED. Если надо, процитирую подробнее.
> Включите пользователя, под которым Сквид запускает ntlm_auth в группу
> winbind. С марта месяца несколько ужесточились права доступа к
> привилегированной pipe в winbindd.
А та pipe, что в tmp, не привилегированная? У меня так:
$ ls -l /tmp/.winbindd/pipe
srwxrwxrwx 1 root root 0 Апр 29 08:16 /tmp/.winbindd/pipe
Включил squid в группу winbind, аутентификация всё равно
не проходит:
[2003/04/29 08:22:17, 10] utils/ntlm_auth.c:manage_squid_request(376)
Got 'KK TlRMTVNTUAADAAAAGAAYAE0AAAAYABgAZQAAAAgACABAAAAAAwADAEgAAAACAAIASwAAAAAAAAB9AAAABgIAIFVQUkFWX05UTElOREL518+tygpBALVmX8
0afRrjnhfOSCEE24cnVabkho83PBRuf2k5jUjlg8xhqu/07j4=' from squid (length: 171).
[2003/04/29 08:22:17, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(298)
got NTLMSSP packet:
[2003/04/29 08:22:17, 10] lib/util.c:dump_data(1886)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 4D 00 00 00 18 00 18 00 65 00 00 00 08 00 08 00 M....... e.......
[020] 40 00 00 00 03 00 03 00 48 00 00 00 02 00 02 00 @....... H.......
[030] 4B 00 00 00 00 00 00 00 7D 00 00 00 06 02 00 20 K....... }......
[040] 55 50 52 41 56 5F 4E 54 4C 49 4E 44 42 F9 D7 CF UPRAV_NT LINDB...
[050] AD CA 0A 41 00 B5 66 5F CD 1A 7D 1A E3 9E 17 CE ...A..f_ ..}.....
[060] 48 21 04 DB 87 27 55 A6 E4 86 8F 37 3C 14 6E 7F H!...'U. ...7<.n.
[070] 69 39 8D 48 E5 83 CC 61 AA EF F4 EE 3E 00 i9.H...a ....>.
[2003/04/29 08:22:17, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(284)
Got user=[LIN] domain=[UPRAV_NT] workstation=[DB] len1=24 len2=24
[2003/04/29 08:22:17, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(311)
NTLMSSP NT_STATUS_ACCESS_DENIED
При проверке /usr/lib/squid/wb_ntlmauth появляется следующее:
(wb_ntlmauth)[28789](wb_ntlm_auth.c:292): Got 'YR' from squid.
(wb_ntlmauth)[28789](wb_ntlm_auth.c:72): sending 'TT TlRMTVNTUAACAAAACAAIACgAAACCgkEA5mVbiSOCxXMAAAAAAAAAAFVQUkFWX05U' to squid
(wb_ntlmauth)[28789](wb_ntlm_auth.c:292): Got 'KK TlRMTVNTUAADAAAAGAAYAE0AAAAYABgAZQAAAAgACABAAAAAAwADAEgAAAACAAIASwAAAAAAAAB9AAAABoIAAFVQUkFWX05UTElOREK90E/NQvldWG/XiAdYS3Oi4gW9rZKZB+VCCuPz1IfggqX0Q+eDFUuGxG/f89u5TgP=' from squid.
(wb_ntlmauth)[28789](wb_ntlm_auth.c:240): Checking user 'UPRAV_NT\LIN' lmhash len =24, have_nthash=0, nthash len=24
(wb_ntlmauth)[28789](wb_ntlm_auth.c:246): winbindd result: 0
(wb_ntlmauth)[28789](wb_ntlm_auth.c:60): sending 'NA UPRAV_NT\LIN auth failure because: Authentication Failure (winbind client not authorized to use winbindd_pam_auth_crap)' to squid
Т.е. всё-таки недостаточно прав?
--
Григорий Баталов,
группа техподдержки
ОАО "Ковдорский ГОК"
next prev parent reply other threads:[~2003-04-29 4:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-25 16:40 [sisyphus] " Alexander Bokovoy
2003-04-28 13:06 ` [sisyphus] " Grigory Batalov
2003-04-28 13:24 ` Alexander Bokovoy
2003-04-29 4:30 ` Grigory Batalov [this message]
2003-04-29 9:01 ` Alexander Bokovoy
2003-04-29 10:44 ` Grigory Batalov
2003-04-29 12:20 ` Alexander Bokovoy
2003-04-29 13:28 ` [sisyphus] " Grigory Batalov
2003-04-29 13:38 ` Alexander Bokovoy
2003-04-29 13:38 ` [sisyphus] wbinfo -g | -u (was: I: new samba3 build) Grigory Batalov
2003-04-29 14:14 ` Alexander Bokovoy
2003-04-30 5:19 ` Grigory Batalov
2003-04-30 7:10 ` Alexander Bokovoy
2003-04-30 7:57 ` Grigory Batalov
2003-04-30 9:41 ` Alexander Bokovoy
2003-04-30 11:55 ` [sisyphus] failed to parse NTLMSSP " Grigory Batalov
2003-04-30 12:45 ` Alexander Bokovoy
2003-04-30 15:08 ` [sisyphus] Kernel Alexander Blagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030429083043.0591a12d.grisxa@mail.ru \
--to=grisxa@mail.ru \
--cc=sisyphus@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Sisyphus discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \
sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru
public-inbox-index sisyphus
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sisyphus
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git