[squid-users] squid-users Digest, Vol 8, Issue 52
kukuh amukti
kukuh.amukti at gmail.com
Fri Apr 24 02:27:13 UTC 2015
Dear Amos,
i get error :
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 90
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-F6iL9e
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: PROXYAGIT01-K$
-- try_machine_keytab_princ: Trying to authenticate for PROXYAGIT01-K$
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/
proxyagit01.ag-it.com from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for PROXYAGIT01-K$ with
password.
-- create_default_machine_password: Default machine password for
PROXYAGIT01-K$ is proxyagit01-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
try_tls=YES
-- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
try_tls=NO
*SASL/GSSAPI authentication started Error: ldap_sasl_interactive_bind_s
failed (Local error) Error: ldap_connect failed --> Is your kerberos ticket
expired? You might try re-"kinit"ing. -- ~KRB5Context: Destroying Kerberos
Context*
in auth.log :
" msktutil: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Server not found in Kerberos database)"
help me
thanks,
kukuhga
On Thu, Apr 23, 2015 at 4:41 PM, <squid-users-request at lists.squid-cache.org>
wrote:
> Send squid-users mailing list submissions to
> squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
> squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
> 1. Re: ERR_ONLY_IF_CACHED_MISS and cache digests problem
> (Victor Sudakov)
> 2. GSSAPI problem when try create keytab using msktutil
> (kukuh amukti)
> 3. Re: [squid ] externalAclLookup: 'wbinfo_group_helper' queue
> overload. (Jagannath Naidu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Apr 2015 14:35:24 +0600
> From: Victor Sudakov <sudakov at sibptus.tomsk.ru>
> To: squid-users at lists.squid-cache.org, Amos Jeffries
> <squid3 at treenet.co.nz>
> Subject: Re: [squid-users] ERR_ONLY_IF_CACHED_MISS and cache digests
> problem
> Message-ID: <20150423083524.GA92752 at admin.sibptus.tomsk.ru>
> Content-Type: text/plain; charset=us-ascii
>
> Amos Jeffries wrote:
>
> [dd]
>
> >
> > I dont think anything is wrong wth either. Its more a collision in how
> > the features work vs the protocols.
> >
> > Cache Digests (CD) are exchanged periodically and updated approx hourly.
> > Also they are based on just the URL. So there is always a gap where they
> > may not be accurate for any highly volatile objects, and variant objects
> > (using Vary headers) will have a high false-positive rate.
> >
> > only-if-cached requires the *right now* state of the object to be fresh
> > and in cache. It takes account of both the URL and the entire HTTP
> > headers. So
> >
> > The ICP protocol used as a backup to confirm objects existence also
> > suffers the same URL basis problem as CD. They work fine for HTTP/1.0
> > but HTTP/1.1 features dont fare quite so well.
>
> Thank you Amos, now I understand the mechanics behind this. However,
> I'd prefer that users do not receive this frustrating error in a setup
> with has nothing inherently wrong about it (especially frustrating is
> the fact that they receive the error from the wrong proxy server, not the
> one they have configured in the browser settings).
>
> Do I understand correctly that the only way to avoid this error
> message is to switch to HTCP (and ditch both ICP and CD)?
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 23 Apr 2015 16:40:44 +0700
> From: kukuh amukti <kukuh.amukti at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] GSSAPI problem when try create keytab using
> msktutil
> Message-ID:
> <
> CAKHWrNFg7vUzmDpDJSpQvMRgc4eTCFONYYUnijyNNZRO2U0zTw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Dear All,
> i've building squid in W2K12 and there is no problem but when i try running
> in W2K3,
> i get problem when try create keytab with msktutil command to win server
> 2003.
> and when i run msktutil :
>
> msktutil -c -b "OU=WSUS - Server,OU=Astragraphia-ITS" -s
> HTTP/proxyagit01.ag-it.com -k /etc/squid3/PROXY.keytab --computer-name
> PROXYAGIT-01 --upn HTTP/proxyagit01.ag-it.com --server
> svr-resdmn22.ag-it.com --verbose
>
> and get some error
>
> -- init_password: Wiping the computer password structure
> -- generate_new_password: Generating a new, random password for the
> computer account
> -- generate_new_password: Characters read from /dev/udandom = 90
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-F6iL9e
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: PROXYAGIT01-K$
> -- try_machine_keytab_princ: Trying to authenticate for PROXYAGIT01-K$
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for host/
> proxyagit01.ag-it.com from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for PROXYAGIT01-K$ with
> password.
> -- create_default_machine_password: Default machine password for
> PROXYAGIT01-K$ is proxyagit01-k
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
> not found in Kerberos database)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- finalize_exec: Authenticated using method 4
>
> -- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
> try_tls=YES
> -- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
> try_tls=NO
> SASL/GSSAPI authentication started
> Error: ldap_sasl_interactive_bind_s failed (Local error)
> Error: ldap_connect failed
> --> Is your kerberos ticket expired? You might try re-"kinit"ing.
> -- ~KRB5Context: Destroying Kerberos Context
>
>
> in auth.log say " msktutil: GSSAPI Error: Unspecified GSS failure. Minor
> code may provide more information (Server not found in Kerberos database)"
>
> what should i do?
>
> thanks,
> kukuhga
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/95123d16/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Thu, 23 Apr 2015 15:11:09 +0530
> From: Jagannath Naidu <jagannath.naidu at fosteringlinux.com>
> To: Amos Jeffries <squid3 at treenet.co.nz>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] [squid ] externalAclLookup:
> 'wbinfo_group_helper' queue overload.
> Message-ID:
> <CA+8bHvzhgS=-
> u5zx1a82uWk0jC62qS1HmaUoawn7eW1W43ZHfA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Amos,
>
> regrets, I am late.
>
> On 21 April 2015 at 09:15, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> > On 20/04/2015 7:31 p.m., Jagannath Naidu wrote:
> > > Hi,
> > >
> > > I am having this issue very frequently. Please help on this.
> > >
> > > I get these errors randomly, mostly when usage is at very peak. (800
> > users)
> > >
> > >
> > > /var/log/squid/cache.log
> > >
> > > 2015/04/20 12:37:40| externalAclLookup: 'wbinfo_group_helper' queue
> > > overload (ch=0x7fc99e2ce518)
> >
> > What do you think "overload" means?
> > The helper is unable to cope with the traffic load being passed to it.
> >
> > Here is the biggest hint:
> > >
> > > in /var/log/messages, I get the following errors
> > >
> > > pr 20 12:59:15 GGNPROXY01 winbindd[1910]: winbindd: Exceeding 200
> > client
> > > connections, no idle connection found
> >
> >
> >
> >
> > > Then squid stops working. For squid to start work again, I have to
> dlete
> > > the cache and restart the squid "squid -k reconfigure", and then squid
> > > restart.
> >
> > What Squid version are you using?
> >
> > my squid version squid-3.1.10-19.el6_4.x86_64
>
>
>
> > >
> > > squid.conf
> > >
> > > max_filedesc 17192
> > > acl manager proto cache_object
> > > acl localhost src 172.16.50.61/24
> >
> > changed to "acl localhost src 172.16.50.6*1*" already
>
>
> > You have an entire /24 (256 IPs) assigned to this machine?
> >
> > I think you need to remove that "/24" part if the *.61 is the local
> > machines *public* IP.
> >
> >
> > > http_access allow manager localhost
> > > dns_nameservers 172.16.3.34 10.1.2.91
> > > acl allowips src 172.16.58.187 172.16.16.192 172.16.58.113 172.16.58.63
> > > 172.16.58.98 172.16.60.244 172.16.58.165 172.16.58.157
> > > http_access allow allowips
> >
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hours external_acl_type nt_group
> ttl=0
> > > children=60 %LOGIN /usr/lib64/squid/wbinfo_group.pl
> >
> > The above two very mangled config lines are useless. Remove them.
> >
> > > acl localnet src 172.16.0.0/24
> >
>
>
> changed
>
>
> > Its a bit strange that none of the localhost machine IPs
> > (172.16.50.0-172.16.50.255) are part of the LAN its plugged into
> > 172.16.0.0-172.16.0.255.
> >
> >
> > > acl localnet src fc00::/7 # RFC 4193 local private network range
> > > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> > machines
> > > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> > > --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
> >
> > Okay you have configured NTLM...
> >
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
> >
> > ... but twice. With different settings. Only these last ones will have
> > any effect.
> >
> >
> > > auth_param ntlm children 600
> > > auth_param ntlm keep_alive off
> >
> > > auth_param negotiate children 150
> > > auth_param negotiate keep_alive off
> > > visible_hostname GGNPROXY01.HTMEDIA.NET
> > > external_acl_type wbinfo_group_helper ttl=0 children=40 %LOGIN
> > > /usr/lib64/squid/wbinfo_group.pl -d
> > > auth_param negotiate keep_alive off
> >
> > You have several useless configuration lines for Negotiate auth which is
> > not being used in any way. Remove those.
> >
> >
> > > acl Safe_ports port 8080 #https
> > > acl SSL_ports port 443
> > > acl Safe_ports port 80 # http
> > > acl Safe_ports port 21 # ftp
> > > acl Safe_ports port 443 # https
> > > acl Safe_ports port 70 # gopher
> > > acl Safe_ports port 210 # wais
> > > acl Safe_ports port 1025-65535 # unregistered ports
> > > acl Safe_ports port 280 # http-mgmt
> > > acl Safe_ports port 488 # gss-http
> > > acl Safe_ports port 591 # filemaker
> > > acl Safe_ports port 777 # multiling http
> > > acl CONNECT method CONNECT
> > > acl auth proxy_auth REQUIRED
> > > acl google dstdomain -i "/etc/squid/google_site.com"
> > > http_access allow google
> > > acl sq1 external wbinfo_group_helper "/etc/squid/HT/sq1"
> > > acl sq2 external wbinfo_group_helper "/etc/squid/HT/sq2"
> > > acl sq3 external wbinfo_group_helper "/etc/squid/HT/sq3"
> > > acl sq4 external wbinfo_group_helper "/etc/squid/HT/sq4"
> > > acl sq5 external wbinfo_group_helper "/etc/squid/HT/sq5"
> > > acl pro1 external wbinfo_group_helper "/etc/squid/HT/pro1"
> > > acl pro2 external wbinfo_group_helper "/etc/squid/HT/pro2"
> > > acl pro3 external wbinfo_group_helper "/etc/squid/HT/pro3"
> > > acl pro4 external wbinfo_group_helper "/etc/squid/HT/pro4"
> > > acl pro5 external wbinfo_group_helper "/etc/squid/HT/pro5"
> > > acl pro6 external wbinfo_group_helper "/etc/squid/HT/pro6"
> > > acl webvip external wbinfo_group_helper "/etc/squid/HT/webvip"
> > > acl allgroup external wbinfo_group_helper "/etc/squid/HT/allgreop"
> > > acl restricted external wbinfo_group_helper "/etc/squid/HT/restricted"
> > > acl ad_auth proxy_auth REQUIRE
> >
> > You already have an ACL named "auth" which performs authentication.
> > The above line is not useful. Remove it and replace all uses of
> > "ad_auth" ACL with "auth" ACL.
> >
> > > acl allowwebsites dstdomain -i "/blacklists/allowedwebsite/domains"
> > > acl allowwebsites_url url_regex -i "/blacklists/allowedwebsite/url"
> > > http_access allow allowwebsites
> > > http_access allow allowwebsites_url
> > > acl shopping dstdomain -i "/etc/squid/shopping.txt"
> > > acl social_networking dstdomain -i
> "/blacklists/social/social.networking"
> > > acl youtube dstdomain -i .youtube.com
> > > http_access allow Safe_ports pro1 pro2 pro3 pro4 pro5 pro6 webvip
> >
> > Incorrect use of "Safe_ports" security check. Correct usage is to deny
> > access to all *unsafe* ports. They are unsafe because HTTP can be
> > smuggled within the ports native protocol to attack your proxy.
> >
> > Once the correct security protections for Safe_port and CONNECT tunnels
> > have been moved up the top remove the "Safe_ports" check from this line.
> >
> > This line is also very odd in another way. ACL tests in a single line
> > are AND'ed together - so this means the request must be from a user who
> is:
> > authenticated AND a member of group pro1 AND pro2 AND pro3 AND pro4
> > AND pro5 AND pro6 AND webvip
> >
> > This hints at what your main helper problem is. The above line requires
> > 7 group helper lookups *per request*. The winbind helper has a maximum
> > of 200 simultaneous connections. This line alone will limit your proxy
> > just under 30 new visitors per second (that becomes 60 lookups/sec
> > before queue overload).
> > The helper result caching will help a lot, but you also have a LOT of
> > other group checks being made and 800 users.
> >
> >
> > > http_access allow youtube pro5
> > > http_access allow youtube pro6
> > > http_access allow youtube webvip
> > > http_access deny youtube
> > > http_access allow shopping pro5
> > > http_access allow shopping pro6
> > > http_access allow shopping webvip
> > > http_access deny shopping
> >
> > Optimization hint:
> > "youtube" and "shopping" have the same allow/deny criteria. It would be
> > worth combining them into one ACL.
> >
> > > http_access allow social_networking pro2
> > > http_access allow social_networking pro4
> > > http_access allow social_networking pro6
> > > http_access allow social_networking webvip
> > > http_access deny social_networking
> > > acl porn_site1 dstdomain "/etc/squid/blacklists/porn/domains.txt"
> > > acl porn_site2 dstdom_regex -i
> "/etc/squid/blacklists/porn/expressions"
> > > acl porn_site3 dstdom_regex -i "/etc/squid/blacklists/porn/urls.txt"
> > > acl audio_video1 dstdomain
> "/etc/squid/blacklists/audio-video/urls.txt"
> > > ###################### THERE ARE TOO MANY acls and http_access , so not
> > > bothering with vast linux
> >
> > I will bet a lot of those ACLs are also calling the group helper too yes?
> >
> > > http_access allow liquorinfo webvip
> > > http_access deny liquorinfo
> > > http_access allow ad_auth
> > > http_access allow auth
> >
> > Once you have removed ad_auth ACL, this becomes:
> > http_access allow auth
> > http_access allow auth
> >
> > I hope you can see how redundant that is.
> >
> > Also, its very likely that the "allow auth" is a useless operation after
> > a great many group checks have also performed authentication. That "TOO
> > MANY acls and https_access" list you omitted will be needed to determine
> > that.
> >
> >
> > > http_access allow sq1 sq2
> > > acl NTLMUsers proxy_auth REQUIRED
> >
> > You already have an ACL named "auth" which performs authentication.
> > The above line is not being used in any way. Remove it.
> >
> > > http_access deny !Safe_ports
> > > http_access deny CONNECT !SSL_ports
> >
> > These are basic security protection against Denial of Service and other
> > types of protocol smuggling attacks. They only work when they are used
> > *above* your custom "allow" rules.
> >
> > Move these two lines above your "http_access allow google" line.
> >
> >
> >
> > > http_port 8080
> > > hierarchy_stoplist cgi-bin ?
> >
> > The above line is not useful these days. Remove it.
> >
> > > cache_effective_user squid
> > > cache_dir aufs /var/spool/squid 20384 32 512
> > > cache_mem 50 MB
> > > cache_replacement_policy heap LFUDA
> > > cache_swap_low 85
> > > cache_swap_high 95
> > > maximum_object_size 5 MB
> > > maximum_object_size_in_memory 50 KB
> > > ipcache_size 5240
> > > ipcache_low 90
> > > ipcache_high 95
> > > cache_mgr amit
> > > acl SSL_ports port 443
> >
> > The above is a duplicate config line. Remove it.
> >
> > > http_access allow CONNECT SSL_ports
> > > coredump_dir /var/spool/squid
> > > refresh_pattern ^ftp: 1440 20% 10080
> > > refresh_pattern ^gopher: 1440 0% 1440
> > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > > refresh_pattern . 0 20% 4320
> > > url_rewrite_program /usr/local/bin/squidGuard -c
> > > /usr/local/squidGuard/squidGuard.conf
> > >
> >
> >
> > Now, as to solving your problem:
> >
> > 1) Clean up your config. Reduce the amount of redundant or unused
> > things. I've mentioned a few above.
> >
> > 2) Run "squid -k parse" and fix any other problems it highlights.
> >
> > 3) optimize your ACls and http_access rules. I've mentioned a few, such
> > as moving the main security checks to the top so DoS traffic does not
> > put load on the helpers and other ACLs.
> >
> > I believe though that you will probably find Squid works much better
> > having the following access controls pattern:
> > "
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> >
> > # if they are not authenticated, they will not be in a group
> > http_access deny !auth
> >
> > # assuming that webvip are the group with full access?
> > http_access allow webvip
> >
> > # your long list of per-site group check ACLs go here
> > ...
> >
> > # this is where defining the LAN ranges correctly comes in.
> > # note that users have authenticated simply to get near here
> > http_access allow localnet
> > http_access deny all
> > "
> >
> >
> > 4) consider an upgrade to Squid 3.4+. The "notes" ACL type offers much
> > more efficient ACL testing with a custom group lookup helper. The all-of
> > and any-of ACL types can also much reduce your http_access lines.
> >
> > HTH
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
>
> Thank you Amos, I will check and will update the list.
>
>
> --
> Thanks & Regards
>
> B Jagannath
> Keen & Able Computers Pvt. Ltd.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/4e7744c9/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 8, Issue 52
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150424/38650b84/attachment-0001.html>
More information about the squid-users
mailing list