Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 231811 - Incorrect File permissions on /var/cache/samba/winbind
Summary: Incorrect File permissions on /var/cache/samba/winbind
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Simo Sorce
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-12 09:23 UTC by Jóhann B. Guðmundsson
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-03-12 12:18:44 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Jóhann B. Guðmundsson 2007-03-12 09:23:46 UTC
Description of problem:

Came incorrect with samba-3.0.10-1.4E.11 packages

Error log showed

nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(429)  winbindd_pam_auth_crap:
non-privileged access denied.  !  winbindd_pam_auth_crap: Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly.
Version-Release number of selected component (if applicable):

How reproducible:
User authenticating through Freeradius got denied 
When they were authenticating with Freeradius + Samba setup that involved winbind 

Steps to Reproduce:
1. Trying to authenticate 
Actual results:
File permission on /var/cache/samba/winbind was 0750

Expected results:
Should have been 0755

Additional info:

This setup was pptp + freeradius + samba ( pptp vpn setup )
Ensure next time that user rights on samba work for varios samba deployments
( Cups + Point 'N'Print, Freeradius + Samba + AD, Freeradius + samba + Winbind etc.)

Users of other service need to have access to samba.

Comment 1 Simo Sorce 2007-03-12 12:18:44 UTC
Sorry jonathan, but the winbindd_privileged pipe is not supposed to be readable
by everyone. To let a daemon use it you must add the user it runs with to the
group owner of the privileged pipe.
Winbindd will not let you use the pipe if it is readable by everyone.

Note You need to log in before you can comment on or make changes to this bug.