<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
>> Hi, everybody!<br>
>> <br>
>> <br>
>> I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username
and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:<br>
>> <br>
>> <br>
>> 2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.<br>
>> <br>
><br>
>This means that your AD is not keeping up with the traffic through your<br>
>proxy.<br>
>Since your Squid has children=100 it will queue up to 200 transactions<br>
>waiting for the helper before this message is shown.<br>
><br>
><br>
>Dis cache.log have anything else from the external helper? you have<br>
>debug mode enabled (-d) so it should be reporting if there are any<br>
>issues with AD other than simply slowness.<br>
><br>
><br>
<br>
Yes. I found this:<br>
14:53:48 [root@server squid3]# tail -f /var/log/squid3/cache.log | grep helper<br>
2017/03/16 14:54:19.527 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.<br>
2017/03/16 14:54:19.532 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.<br>
2017/03/16 14:54:20.743 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.<br>
<br>
And this:<br>
2017/03/16 14:53:47.887 kid1| Acl.cc(118) FindByName: ACL::FindByName 'it_group'<br>
2017/03/16 14:53:47.887 kid1| Gadgets.cc(71) aclGetDenyInfoPage: got called for it_group<br>
2017/03/16 14:53:48.028 kid1| Acl.cc(157) matches: checking it_group<br>
2017/03/16 14:53:48.028 kid1| Acl.cc(177) matches: checked: it_group = -1<br>
2017/03/16 14:53:48.028 kid1| Gadgets.cc(103) aclIsProxyAuth: aclIsProxyAuth: called for it_group<br>
2017/03/16 14:53:48.028 kid1| Acl.cc(118) FindByName: ACL::FindByName 'it_group'<br>
<br>
>> <br>
>> After some research I found this thread <a class="moz-txt-link-freetext" href="http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html">
http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html</a> and followed the suggestions posted by Amos. But nothing happened.<br>
>> <br>
>> I tried rejoining the server to domain. Everything was fine in that way: wbinfo -u, wbinfo -g and wbinfo -P correctly returns all the users, groups and information of the domain.<br>
>> <br>
>> <br>
>> After restart Squid service, I noticed that neither helper ext_wbinfo_group_acl nor pinger are started:<br>
>> <br>
>> <br>
>> 12:04:01 [root at server ]# systemctl status squid3.service -l<br>
><br>
>NOTE: do not trust systemd information about Squid-3. The two are not<br>
>compatible and systemd often says incorrect things because it makes<br>
>incorrect assumptions about the squid process(es). Especially if there<br>
>has been a process crash and auto-restart at any point during Squid<br>
>operation.<br>
><br>
><br>
>> ● squid3.service - LSB: Squid HTTP Proxy version 3.x<br>
>> Loaded: loaded (/etc/init.d/squid3)<br>
>> Active: active (running) since sáb 2017-03-04 12:04:01 ART; 3s ago<br>
>> Process: 4537 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)<br>
>> Process: 4560 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)<br>
>> CGroup: /system.slice/squid3.service<br>
>> ├─4593 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf<br>
>> ├─4595 (squid-1) -YC -f /etc/squid3/squid.conf<br>
>> └─4596 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> mar 04 12:04:01 server.mydomain.com squid3[4560]: Starting Squid HTTP Proxy 3.x: squid3<br>
>> 2017/03/04 12:04:01| WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N<br>
><br>
>Please note the warning and update your config file.<br>
><br>
>> mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: will start 1 kids<br>
>> mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: (squid-1) process 4595 started<br>
>> mar 04 12:04:01 server.mydomain.com squid3[4560]: .<br>
>> <br>
>> <br>
>> 12:04:30 [root at server ]# ps fax | grep ext_wbinfo_group_acl<br>
>> 1418 pts/0 S+ 0:00 \_ grep ext_wbinfo_group_acl<br>
>> <br>
>> If I run echo "mydomain\user1 it_group" | /usr/lib/squid3/ext_wbinfo_group_acl -d, it returns<br>
>> <br>
>> Debugging mode ON.<br>
>> Got mydomain\user1 it_group from squid<br>
>> User: -mydomain\user1-<br>
>> Group: -it_group-<br>
>> SID: -S-1-5-21-2290000000-711000000-3300000000-3949-<br>
>> GID: -10006-<br>
>> Sending OK to squid<br>
>> OK<br>
>> <br>
>> What it's a good, because that user belongs to that group. If I change the group name, it returns an ERR.<br>
>> <br>
>> Here is my squid.conf:<br>
>> <br>
>> #===========================================================================<br>
>> http_port 3128<br>
>> visible_hostname proxy.squid<br>
>> cache_mgr server at proxy.com<br>
>> cache_effective_user proxy<br>
>> error_directory /usr/share/squid3/errors/es<br>
>> err_page_stylesheet /etc/squid3/estilo.css<br>
>> <br>
>> ####################################################<br>
>> #******************************Ports*************************************#<br>
>> ####################################################<br>
>> <br>
>> #acl manager proto cache_object<br>
>> #acl all src 0.0.0.0/0.0.0.0<br>
>> #acl localhost src 127.0.0.1/32<br>
>> acl SSL_ports port 443<br>
>> acl Safe_ports port 80<br>
>> acl Safe_ports port 21<br>
>> acl Safe_ports port 443<br>
>> acl Safe_ports port 70 #prot gopher<br>
>> acl Safe_ports port 210 #whais<br>
>> acl Safe_ports port 280 #http-mgmt<br>
>> acl Safe_ports port 488 #gss-http<br>
>> acl Safe_ports port 591 #filemaker<br>
>> acl Safe_ports port 8080<br>
>> acl Safe_ports port 2481<br>
>> acl Safe_ports port 20010<br>
>> acl Safe_ports port 777 #multi http<br>
>> #acl purge method PURGE<br>
>> acl CONNECT method CONNECT<br>
>> <br>
>> acl_uses_indirect_client on<br>
>> delay_pool_uses_indirect_client on<br>
>> log_uses_indirect_client on<br>
>> <br>
>> <br>
>> ##############################################################<br>
>> #*******************Active Directory HELPERS**************************#<br>
>> ##############################################################<br>
>> <br>
>> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> auth_param ntlm children 100<br>
>> auth_param ntlm keep_alive off<br>
>> <br>
>> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic<br>
>> auth_param basic children 100<br>
>> auth_param basic realm Servidor proxy-cache<br>
>> auth_param basic credentialsttl 2 hours<br>
>> <br>
>> <br>
>> #######################################################################<br>
>> #****************************ACL******************************************#<br>
>> ###########################################################################<br>
>> <br>
>> #---------------------------ACL Active Directory------------------------#<br>
>> external_acl_type Grupos_AD ttl=10 negative_ttl=10 children=100 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
>> acl it_group external Grupos_AD it_group<br>
>> <br>
>> ------------------Acceso sólo a usuarios autenticados--------------------#<br>
>> acl auth proxy_auth REQUIRED<br>
>> http_access deny !auth<br>
>> <br>
>> #-----------------------------Grupo *it_group*----------------------------#<br>
>> http_access allow it_group allow<br>
><br>
>What is this extra "allow" on the end of the line for?<br>
><br>
>I dont see any ACL named "allow" in the above config. So that may be<br>
>preventing Squid from restarting, which would confuse systemd.<br>
><br>
><br>
This is only a mistake. ACL "allow" does not exist. So it should be:<br>
#-----------------------------Grupo *it_group*----------------------------#<br>
http_access allow it_group<br>
>> <br>
>> http_access allow manager localhost<br>
>> http_access deny manager<br>
>> #http_access allow purge localhost<br>
>> #http_access deny purge<br>
><br>
>Please move the below two lines up to be the very first http_access<br>
>lines in your config. Part of their purpose is to protect against some<br>
>DoS conditions which can cause exactly this type of overload on headers.<br>
><br>
I'll move it.<br>
>> http_access deny !Safe_ports<br>
>> http_access deny CONNECT !SSL_PORTS<br>
>> <br>
>> http_access deny all<br>
>> <br>
>> dead_peer_timeout 20 seconds<br>
>> strip_query_terms on<br>
>> debug_options ALL,1 33,2 28,9<br>
>> coredump_dir /var/spool/squid3<br>
>> ftp_passive on<br>
>> ftp_sanitycheck off<br>
>> ftp_telnet_protocol off<br>
>> read_ahead_gap 1 MB<br>
>> positive_dns_ttl 6 hours<br>
>> forward_max_tries 25<br>
>> <br>
>> <br>
>> ############################################################################<br>
>> #*************************Log********************************#<br>
>> ############################################################################<br>
>> <br>
>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt<br>
>> cache_access_log /var/log/squid3/access.log<br>
>> cache_log /var/log/squid3/cache.log<br>
>> logfile_rotate 0<br>
>> <br>
>> ############################################################################<br>
>> #******************Cache and memory***************************#<br>
>> ############################################################################<br>
>> <br>
>> cache_mem 1024 MB<br>
>> maximum_object_size_in_memory 1024 KB<br>
>> memory_cache_mode always<br>
>> cache_dir aufs /var/spool/squid3 15000 16 256<br>
>> maximum_object_size 96 MB<br>
>> minimum_object_size 10 KB<br>
>> #cache_replacement_policy heap LFUDA<br>
>> cache_replacement_policy heap GDSF<br>
>> memory_replacement_policy heap GDSF<br>
>> #memory_replacement_policy lru<br>
>> cache_store_log none<br>
>> #log_fqdn off<br>
>> log_icp_queries off<br>
>> buffered_logs off<br>
>> #emulate_httpd_log off<br>
>> redirect_rewrites_host_header off<br>
>> cache_swap_low 80<br>
>> cache_swap_high 95<br>
>> <br>
>> #===========================================================================<br>
>> <br>
>> It is really weird, I really don't know how to solve this. I hope my explanation was clear.<br>
>> <br>
>> For testing purposes, I have another Squid working with the same AD server, and it is going fine: the helper and pinger are executed as you can see here:<br>
>> <br>
>> root at debian-test-server:/etc/squid3# systemctl status squid3.service<br>
>> ● squid3.service - LSB: Squid HTTP Proxy version 3.x<br>
>> Loaded: loaded (/etc/init.d/squid3)<br>
>> Active: active (running) since lun 2017-02-13 07:35:01 ART; 2 weeks 5 days ago<br>
>> Process: 570 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)<br>
>> CGroup: /system.slice/squid3.service<br>
>> ├─ 1017 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf<br>
>> ├─ 1020 (squid-1) -YC -f /etc/squid3/squid.conf<br>
>> ├─ 1945 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
>> ├─ 1968 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1969 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1970 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1971 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1972 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1973 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1974 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─ 1993 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
>> ├─ 2029 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
>> ├─63477 (pinger)<br>
>> ├─63478 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN<br>
>> ├─63479 (ntlm_auth) --helper-protocol=squid-2.5-basic<br>
>> └─63480 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d<br>
>> <br>
><br>
>As configured your Squid should be starting exactly 100 of each - no<br>
>more, no less. I suspect from both these traces that you dont actually<br>
>need 100 of each helper running, or systemd is confused already.<br>
><br>
>The current Squid versions can auto-start helpers as needed. See the<br>
>auth_param and external_acl_type documentation for the max=, startup=<br>
>and idle= options. That may help a little, or at least allow you to<br>
>configure higher max limits to cope with slow AD periods.<br>
><br>
><br>
><br>
<br>
I tried with those params but nothing happens. The helper doesn't auto-start. <br>
<i>external_acl_type Grupos_AD ttl=10 children-max=10 children-startup=10 children-idle=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d</i><i><br>
</i><br>
And as suggested in the Squid wiki <a class="moz-txt-link-freetext" href="http://www.squid-cache.org/Doc/config/auth_param/">
http://www.squid-cache.org/Doc/config/auth_param/</a>, I used this values for: <br>
<i>auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=RENTAS</i><i><br>
</i><i>auth_param ntlm children 20 startup=0 idle=1</i><i><br>
</i><i>auth_param ntlm keep_alive off</i><i><br>
</i><i><br>
</i><i>auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic</i><i><br>
</i><i>auth_param basic children 5 startup=5 idle=1</i><i><br>
</i><i>auth_param basic realm DPR-proxy</i><i><br>
</i><i>auth_param basic credentialsttl 2 hours</i><br>
<br>
>Another possibility is converting to the LDAP group lookup instead of<br>
>using the wbinfo tool to do lookups. I know that LDAP does not suffer<br>
>from wbind connection limits, which might be part of your issue.<br>
><br>
>Amos<br>
><br>
Please Amos provide me further guidance. Cannot find a solution to this. Thanks!<br>
<div class="moz-signature">-- <br>
<b>Verónica Ovando</b></div>
</body>
</html>