Comment # 3 on bug 912714 from 
(In reply to Fabian Vogt from comment #2)
> Thanks,
> executing setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged
> is enough for ntlm_auth to work correctly.

Glad to hear. Thanks for testing.

> Could this become default as it's
> definitely not a security issue to grant read access to radiusd?

Winbind currently ships with the following permissions and ownership:
drwxr-x--- 2 root winbind 4096 Oct 15 12:08 /var/lib/samba/winbindd_privileged/

The Squid proxy user (squid) adds itself to the winbind group on installation.
I expect FreeRADIUS should do the same for the radiusd user.

Squid uses the following spec file magic to perform this:

%pre
# we need this group for squid (ntlmauth)
# read access to /var/lib/samba/winbindd_privileged
if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
  %{_sbindir}/groupadd -r winbind 2>/dev/null
fi
if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then
  %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
    -G winbind -g nogroup -o -u 31 -r -s /bin/false \
    %{name} 2>/dev/null
fi
# if squid is not member of winbind, add him
if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo
$?` -ne 0 ]; then
  %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null
fi

You are receiving this mail because: