[squid-users] ext_wbinfo_group_acl is not working

Verónica Ovando vero.ovando at live.com
Tue Mar 7 13:35:41 UTC 2017 

Hi, everybody!


I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:


2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.


After some research I found this thread http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html and followed the suggestions posted by Amos. But nothing happened.

I tried rejoining the server to domain. Everything was fine in that way: wbinfo -u, wbinfo -g and wbinfo -P correctly returns all the users, groups and information of the domain.


After restart Squid service, I noticed that neither helper ext_wbinfo_group_acl nor pinger are started:


12:04:01 [root at server ]# systemctl status squid3.service -l
● squid3.service - LSB: Squid HTTP Proxy version 3.x
   Loaded: loaded (/etc/init.d/squid3)
   Active: active (running) since sáb 2017-03-04 12:04:01 ART; 3s ago
  Process: 4537 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)
  Process: 4560 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/squid3.service
           ├─4593 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
           ├─4595 (squid-1) -YC -f /etc/squid3/squid.conf
           └─4596 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
mar 04 12:04:01 server.mydomain.com squid3[4560]: Starting Squid HTTP Proxy 3.x: squid32017/03/04 12:04:01| WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N
mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: will start 1 kids
mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: (squid-1) process 4595 started
mar 04 12:04:01 server.mydomain.com squid3[4560]: .


12:04:30 [root at server ]# ps fax | grep ext_wbinfo_group_acl
 1418 pts/0    S+     0:00              \_ grep ext_wbinfo_group_acl

If I run echo "mydomain\user1 it_group" | /usr/lib/squid3/ext_wbinfo_group_acl -d, it returns

Debugging mode ON.
Got mydomain\user1 it_group from squid
User:  -mydomain\user1-
Group: -it_group-
SID:   -S-1-5-21-2290000000-711000000-3300000000-3949-
GID:   -10006-
Sending OK to squid
OK

What it's a good, because that user belongs to that group. If I change the group name, it returns an ERR.

Here is my squid.conf:

#===========================================================================
http_port 3128
visible_hostname proxy.squid
cache_mgr server at proxy.com<mailto:server at proxy.com>
cache_effective_user proxy
error_directory /usr/share/squid3/errors/es
err_page_stylesheet /etc/squid3/estilo.css

####################################################
#******************************Ports*************************************#
####################################################

#acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
#acl localhost src 127.0.0.1/32
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70 #prot gopher
acl Safe_ports port 210 #whais
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 8080
acl Safe_ports port 2481
acl Safe_ports port 20010
acl Safe_ports port 777 #multi http
#acl purge method PURGE
acl CONNECT method CONNECT

acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on


##############################################################
#*******************Active Directory HELPERS**************************#
##############################################################

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
auth_param ntlm children 100
auth_param ntlm keep_alive off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Servidor proxy-cache
auth_param basic credentialsttl 2 hours


#######################################################################
#****************************ACL******************************************#
###########################################################################

#---------------------------ACL Active Directory------------------------#
external_acl_type Grupos_AD ttl=10 negative_ttl=10 children=100 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d
acl it_group external Grupos_AD it_group

------------------Acceso sólo a usuarios autenticados--------------------#
acl auth proxy_auth REQUIRED
http_access deny !auth

#-----------------------------Grupo *it_group*----------------------------#
http_access allow it_group allow

http_access allow manager localhost
http_access deny manager
#http_access allow purge localhost
#http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_PORTS

http_access deny all

dead_peer_timeout 20 seconds
strip_query_terms on
debug_options ALL,1 33,2 28,9
coredump_dir /var/spool/squid3
ftp_passive on
ftp_sanitycheck off
ftp_telnet_protocol off
read_ahead_gap 1 MB
positive_dns_ttl 6 hours
forward_max_tries 25


############################################################################
#*************************Log********************************#
############################################################################

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
logfile_rotate 0

############################################################################
#******************Cache and memory***************************#
############################################################################

cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
memory_cache_mode always
cache_dir aufs /var/spool/squid3 15000 16 256
maximum_object_size 96 MB
minimum_object_size 10 KB
#cache_replacement_policy heap LFUDA
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
#memory_replacement_policy lru
cache_store_log none
#log_fqdn off
log_icp_queries off
buffered_logs off
#emulate_httpd_log off
redirect_rewrites_host_header off
cache_swap_low 80
cache_swap_high 95

#===========================================================================

It is really weird, I really don't know how to solve this. I hope my explanation was clear.

For testing purposes, I have another Squid working with the same AD server, and it is going fine: the helper and pinger are executed as you can see here:

root at debian-test-server:/etc/squid3# systemctl status squid3.service
● squid3.service - LSB: Squid HTTP Proxy version 3.x
   Loaded: loaded (/etc/init.d/squid3)
   Active: active (running) since lun 2017-02-13 07:35:01 ART; 2 weeks 5 days ago
  Process: 570 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/squid3.service
           ├─ 1017 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
           ├─ 1020 (squid-1) -YC -f /etc/squid3/squid.conf
           ├─ 1945 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
           ├─ 1968 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1969 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1970 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1971 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1972 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1973 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1974 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─ 1993 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
           ├─ 2029 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
           ├─63477 (pinger)
           ├─63478 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
           ├─63479 (ntlm_auth) --helper-protocol=squid-2.5-basic
           └─63480 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d

I will appreciate your help!

Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170307/389a0ae8/attachment.html>

More information about the squid-users mailing list