<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<div style="color: rgb(0, 0, 0);">
<div>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p></p>
<div>
<p>Hi, everybody!</p>
<p><br>
</p>
<p>I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username
and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:<em class="x_quotelev1"></em></p>
<p><em class="x_quotelev1"><br>
</em></p>
<p><em class="x_quotelev1">2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.</em></p>
<p><br>
<em class="x_quotelev1"></em><em class="x_quotelev1"></em></p>
<p>After some research I found this thread <a href="http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html" target="_blank" class="x_moz-txt-link-freetext" id="LPlnk164776" previewremoved="true">
http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html</a> and followed the suggestions posted by Amos. But nothing happened.</p>
<p>I tried rejoining the server to domain. Everything was fine in that way: <b>wbinfo -u</b>,
<b>wbinfo -g</b> and <b>wbinfo -P</b> correctly returns all the users, groups and information of the domain.<br>
</p>
<p><br>
</p>
<p>After restart Squid service, I noticed that neither helper ext_wbinfo_group_acl nor pinger are started:</p>
<p><br>
</p>
<p>12:04:01 [root@server ]# systemctl status squid3.service -l<br>
Ąņ squid3.service - LSB: Squid HTTP Proxy version 3.x<br>
Loaded: loaded (/etc/init.d/squid3)<br>
Active: active (running) since s¨ĸb 2017-03-04 12:04:01 ART; 3s ago<br>
Process: 4537 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)<br>
Process: 4560 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)<br>
CGroup: /system.slice/squid3.service<br>
ŠĀŠ¤4593 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf<br>
ŠĀŠ¤4595 (squid-1) -YC -f /etc/squid3/squid.conf<br>
Š¸Š¤4596 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
mar 04 12:04:01 server.mydomain.com squid3[4560]: Starting Squid HTTP Proxy 3.x: squid32017/03/04 12:04:01| WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N<br>
mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: will start 1 kids<br>
mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: (squid-1) process 4595 started<br>
mar 04 12:04:01 server.mydomain.com squid3[4560]: .</p>
<p><br>
</p>
12:04:30 [root@server ]# ps fax | grep ext_wbinfo_group_acl<br>
1418 pts/0 S+ 0:00 \_ grep ext_wbinfo_group_acl<br>
<br>
If I run <b>echo "mydomain\user1 it_group" | /usr/lib/squid3/ext_wbinfo_group_acl -d</b>, it returns<br>
<br>
Debugging mode ON.<br>
Got mydomain\user1 it_group from squid<br>
User: -mydomain\user1-<br>
Group: -it_group-<br>
SID: -S-1-5-21-2290000000-711000000-3300000000-3949-<br>
GID: -10006-<br>
Sending OK to squid<br>
OK<br>
<br>
What it's a good, because that user belongs to that group. If I change the group name, it returns an ERR.<br>
<br>
Here is my squid.conf:<br>
<br>
<span>#===========================================================================</span><br>
http_port 3128<br>
visible_hostname proxy.squid<br>
cache_mgr <a href="mailto:server@proxy.com" target="_blank" class="x_moz-txt-link-abbreviated">
server@proxy.com</a><br>
cache_effective_user proxy<br>
error_directory /usr/share/squid3/errors/es<br>
err_page_stylesheet /etc/squid3/estilo.css<br>
<br>
####################################################<br>
#******************************Ports*************************************#<br>
####################################################<br>
<br>
#acl manager proto cache_object<br>
#acl all src 0.0.0.0/0.0.0.0<br>
#acl localhost src 127.0.0.1/32<br>
acl SSL_ports port 443<br>
acl Safe_ports port 80<br>
acl Safe_ports port 21<br>
acl Safe_ports port 443<br>
acl Safe_ports port 70 #prot gopher<br>
acl Safe_ports port 210 #whais<br>
acl Safe_ports port 280 #http-mgmt<br>
acl Safe_ports port 488 #gss-http<br>
acl Safe_ports port 591 #filemaker<br>
acl Safe_ports port 8080<br>
acl Safe_ports port 2481<br>
acl Safe_ports port 20010<br>
acl Safe_ports port 777 #multi http<br>
#acl purge method PURGE<br>
acl CONNECT method CONNECT<br>
<br>
acl_uses_indirect_client on<br>
delay_pool_uses_indirect_client on<br>
log_uses_indirect_client on<br>
<br>
<br>
##############################################################<br>
#*******************Active Directory HELPERS**************************#<br>
##############################################################<br>
<br>
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
auth_param ntlm children 100<br>
auth_param ntlm keep_alive off<br>
<br>
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic<br>
auth_param basic children 100<br>
auth_param basic realm Servidor proxy-cache<br>
auth_param basic credentialsttl 2 hours<br>
<br>
<br>
#######################################################################<br>
#****************************ACL******************************************#<br>
###########################################################################<br>
<br>
#---------------------------ACL Active Directory------------------------#<br>
external_acl_type Grupos_AD ttl=10 negative_ttl=10 children=100 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
acl it_group external Grupos_AD it_group<br>
<br>
------------------Acceso s¨Žlo a usuarios autenticados--------------------#<br>
acl auth proxy_auth REQUIRED<br>
http_access deny !auth<br>
<br>
#-----------------------------Grupo *it_group*----------------------------#<br>
http_access allow it_group allow<br>
<br>
http_access allow manager localhost<br>
http_access deny manager<br>
#http_access allow purge localhost<br>
#http_access deny purge<br>
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_PORTS<br>
<br>
http_access deny all<br>
<br>
dead_peer_timeout 20 seconds<br>
strip_query_terms on<br>
debug_options ALL,1 33,2 28,9<br>
coredump_dir /var/spool/squid3<br>
ftp_passive on<br>
ftp_sanitycheck off<br>
ftp_telnet_protocol off<br>
read_ahead_gap 1 MB<br>
positive_dns_ttl 6 hours<br>
forward_max_tries 25<br>
<br>
<br>
############################################################################<br>
#*************************Log********************************#<br>
############################################################################<br>
<br>
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt<br>
cache_access_log /var/log/squid3/access.log<br>
cache_log /var/log/squid3/cache.log<br>
logfile_rotate 0<br>
<br>
############################################################################<br>
#******************Cache and memory***************************#<br>
############################################################################<br>
<br>
cache_mem 1024 MB<br>
maximum_object_size_in_memory 1024 KB<br>
memory_cache_mode always<br>
cache_dir aufs /var/spool/squid3 15000 16 256<br>
maximum_object_size 96 MB<br>
minimum_object_size 10 KB<br>
#cache_replacement_policy heap LFUDA<br>
cache_replacement_policy heap GDSF<br>
memory_replacement_policy heap GDSF<br>
#memory_replacement_policy lru<br>
cache_store_log none<br>
#log_fqdn off<br>
log_icp_queries off<br>
buffered_logs off<br>
#emulate_httpd_log off<br>
redirect_rewrites_host_header off<br>
cache_swap_low 80<br>
cache_swap_high 95<br>
<br>
#===========================================================================<br>
<br>
It is really weird, I really don't know how to solve this. I hope my explanation was clear.
<br>
<br>
For testing purposes, I have another Squid working with the same AD server, and it is going fine: the helper and pinger are executed as you can see here:<br>
<br>
root@debian-test-server:/etc/squid3# systemctl status squid3.service <br>
Ąņ squid3.service - LSB: Squid HTTP Proxy version 3.x<br>
Loaded: loaded (/etc/init.d/squid3)<br>
Active: active (running) since lun 2017-02-13 07:35:01 ART; 2 weeks 5 days ago<br>
Process: 570 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)<br>
CGroup: /system.slice/squid3.service<br>
ŠĀŠ¤ 1017 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf<br>
ŠĀŠ¤ 1020 (squid-1) -YC -f /etc/squid3/squid.conf<br>
ŠĀŠ¤ 1945 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
ŠĀŠ¤ 1968 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1969 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1970 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1971 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1972 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1973 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1974 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤ 1993 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
ŠĀŠ¤ 2029 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
ŠĀŠ¤63477 (pinger)<br>
ŠĀŠ¤63478 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
ŠĀŠ¤63479 (ntlm_auth) --helper-protocol=squid-2.5-basic<br>
Š¸Š¤63480 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
<br>
I will appreciate your help!<br>
<br>
Thanks!</div>
<br>
<p></p>
</div>
</div>
</div>
</div>
</body>
</html>