(In reply to Fabian Vogt from comment #2) > Thanks, > executing setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged > is enough for ntlm_auth to work correctly. Glad to hear. Thanks for testing. > Could this become default as it's > definitely not a security issue to grant read access to radiusd? Winbind currently ships with the following permissions and ownership: drwxr-x--- 2 root winbind 4096 Oct 15 12:08 /var/lib/samba/winbindd_privileged/ The Squid proxy user (squid) adds itself to the winbind group on installation. I expect FreeRADIUS should do the same for the radiusd user. Squid uses the following spec file magic to perform this: %pre # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ -G winbind -g nogroup -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null fi