[squid-users] Negotiate Authenticator and DNS

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 26 12:57:00 UTC 2017

On 26/09/17 17:59, Eliezer Croitoru wrote:
> Hey,
> How about using a local bind\unbound DNS server that has a forwarding zone defined only for the local domains?
> For me it's a bit hard to understand the root cause for the issue but this is the best solution I can think about.
> If you need some help about with bind\unbound DNS configurations just send me an email and I will try to help you with that.

> -----Original Message-----
> From: erdosain9
> Hi.
> Im traying to improve the dns response because im having this times:
> Negotiate Authenticator Statistics:
> program: /lib64/squid/negotiate_kerberos_auth

Notice the name of the program above.

> Sometimes much more time, sometimes go to avg service time: 560 msec...

Thats not good, DNS should be much faster. But not related to the errors 

> Sorry for my ignorance...
> This Negotiate Authenticator is for users??? i mean this is related to, for
> example, go to google.com, or is just the time that the user (client pc)
> wait for be authenticate??

The report you quoted was for Negotiate authentication helpers. Only. 
The times there relate to how long it takes to login.

> I think, that is related to go to a web (now i have my doubts). so i make a
> dns with bind. and put that dns in squid config, and let the dns from the AD
> in second place... but, when i restart this happend:
> support_resolv.cc(289): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:

Notice the name (above) of the program reporting these errors.

> ERROR: Error while resolving service record _ldap._tcp.DOMAIN.LAN with r
> es_search
> support_resolv.cc(71): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: res_search: Unknown service record: _ldap._tcp.DOMAIN.LAN
> support_resolv.cc(183): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: Error while resolving hostname with getaddrinfo: Name or service
> not known
> support_sasl.cc(276): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
> support_ldap.cc(957): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
> LDAP server
> So, this post is for two question.
> 1- The thing about Negotiate Authenticator (that value what represent?)
> 2- Can i improve making my own dns (apart from the the dns from the domain)?
> (i prefer make other dns, than fix the dns from the domain, because i dont
> manage that).

These errors are missing records and servers not running (or not 
existing?). Different DNS server would only help with lag.

> Thanks to all, and sorry for the ignorance, and my bad writing (i dont speak
> english)


More information about the squid-users mailing list