NTLM Group ACLs fail during upgrade from Squid-2.5 to Squid-2.6

Synopsis

An upgrade from Squid-2.5 to Squid-2.6 (and possibly an underlying upgrade of Samba/Winbind in the process) breaks NTLM group authentication. NTLM user authentication still succeeds normally.

Symptoms

  • wbinfo returns valid information; eg "wbinfo -t" and "wbinfo -g" return user and group lists respectively;
  • Squid can authenticate users via NTLM fine;
  • cache.log logs messages similar to "Could not convert sid S-1-5-21-466765145-1792897056-1845911597-1995 to gid"

Explanation

Group ACLs for NTLM are implemented by using the helper "wbinfo_group.pl" to map users+groups into true or false. Squid then uses the results of this in the ACL. "wbinfo_group.pl" internally uses the command line program "wbinfo" to perform the lookups. If "wbinfo" can't map the user/group sid to a group id (gid) then all lookups will return failure/false and Squid will deny access.

Repairing

At least one report of this issue was solved by deleting a corrupted "winbindd_idmap.tdb" file in /var/db/samba. The steps taken to resolve the issue were:

  • Verify kerberos is working fine:
    • kinit <user@DOMAIN>

    • klist; which should show a valid certificate
  • Verify winbind can authenticate to the Active Directory service fine:
    • wbinfo -t should display "checking the trust secret via RPC calls succeeded"
    • wbinfo -u should list all users
    • wbinfo -g should list all groups
  • Stop Squid, Samba, Winbindd
  • Delete the winbindd_idmap.tdb file
  • Ensure time synchronisation to the Active Directory server is setup and running correctly
  • Rejoin the domain via "net ads join -U <user@DOMAIN>"

  • Restart Samba/Winbind/Squid

To verify, use:

  • wbinfo -n <name or group>; which will attempt to map the given user or group name to an SID.

Thanks

Thanks to David Whitehead <dwhitehead AT seacrestvillage DOT org> for working with the Squid team to resolve and document this issue.


CategoryKnowledgeBase

KnowledgeBase/NoNTLMGroupAuth (last edited 2008-05-18 19:39:00 by localhost)