[squid-users] ext_wbinfo_group_acl is not working
Amos Jeffries
squid3 at treenet.co.nz
Thu Mar 9 14:46:00 UTC 2017
On 8/03/2017 2:35 a.m., Verónica Ovando wrote:
> Hi, everybody!
>
>
> I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:
>
>
> 2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.
>
This means that your AD is not keeping up with the traffic through your
proxy.
Since your Squid has children=100 it will queue up to 200 transactions
waiting for the helper before this message is shown.
Dis cache.log have anything else from the external helper? you have
debug mode enabled (-d) so it should be reporting if there are any
issues with AD other than simply slowness.
>
> After some research I found this thread http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html and followed the suggestions posted by Amos. But nothing happened.
>
> I tried rejoining the server to domain. Everything was fine in that way: wbinfo -u, wbinfo -g and wbinfo -P correctly returns all the users, groups and information of the domain.
>
>
> After restart Squid service, I noticed that neither helper ext_wbinfo_group_acl nor pinger are started:
>
>
> 12:04:01 [root at server ]# systemctl status squid3.service -l
NOTE: do not trust systemd information about Squid-3. The two are not
compatible and systemd often says incorrect things because it makes
incorrect assumptions about the squid process(es). Especially if there
has been a process crash and auto-restart at any point during Squid
operation.
> ● squid3.service - LSB: Squid HTTP Proxy version 3.x
> Loaded: loaded (/etc/init.d/squid3)
> Active: active (running) since sáb 2017-03-04 12:04:01 ART; 3s ago
> Process: 4537 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)
> Process: 4560 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)
> CGroup: /system.slice/squid3.service
> ├─4593 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
> ├─4595 (squid-1) -YC -f /etc/squid3/squid.conf
> └─4596 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> mar 04 12:04:01 server.mydomain.com squid3[4560]: Starting Squid HTTP Proxy 3.x: squid3
> 2017/03/04 12:04:01| WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N
Please note the warning and update your config file.
> mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: will start 1 kids
> mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: (squid-1) process 4595 started
> mar 04 12:04:01 server.mydomain.com squid3[4560]: .
>
>
> 12:04:30 [root at server ]# ps fax | grep ext_wbinfo_group_acl
> 1418 pts/0 S+ 0:00 \_ grep ext_wbinfo_group_acl
>
> If I run echo "mydomain\user1 it_group" | /usr/lib/squid3/ext_wbinfo_group_acl -d, it returns
>
> Debugging mode ON.
> Got mydomain\user1 it_group from squid
> User: -mydomain\user1-
> Group: -it_group-
> SID: -S-1-5-21-2290000000-711000000-3300000000-3949-
> GID: -10006-
> Sending OK to squid
> OK
>
> What it's a good, because that user belongs to that group. If I change the group name, it returns an ERR.
>
> Here is my squid.conf:
>
> #===========================================================================
> http_port 3128
> visible_hostname proxy.squid
> cache_mgr server at proxy.com
> cache_effective_user proxy
> error_directory /usr/share/squid3/errors/es
> err_page_stylesheet /etc/squid3/estilo.css
>
> ####################################################
> #******************************Ports*************************************#
> ####################################################
>
> #acl manager proto cache_object
> #acl all src 0.0.0.0/0.0.0.0
> #acl localhost src 127.0.0.1/32
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70 #prot gopher
> acl Safe_ports port 210 #whais
> acl Safe_ports port 280 #http-mgmt
> acl Safe_ports port 488 #gss-http
> acl Safe_ports port 591 #filemaker
> acl Safe_ports port 8080
> acl Safe_ports port 2481
> acl Safe_ports port 20010
> acl Safe_ports port 777 #multi http
> #acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl_uses_indirect_client on
> delay_pool_uses_indirect_client on
> log_uses_indirect_client on
>
>
> ##############################################################
> #*******************Active Directory HELPERS**************************#
> ##############################################################
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> auth_param ntlm children 100
> auth_param ntlm keep_alive off
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 100
> auth_param basic realm Servidor proxy-cache
> auth_param basic credentialsttl 2 hours
>
>
> #######################################################################
> #****************************ACL******************************************#
> ###########################################################################
>
> #---------------------------ACL Active Directory------------------------#
> external_acl_type Grupos_AD ttl=10 negative_ttl=10 children=100 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d
> acl it_group external Grupos_AD it_group
>
> ------------------Acceso sólo a usuarios autenticados--------------------#
> acl auth proxy_auth REQUIRED
> http_access deny !auth
>
> #-----------------------------Grupo *it_group*----------------------------#
> http_access allow it_group allow
What is this extra "allow" on the end of the line for?
I dont see any ACL named "allow" in the above config. So that may be
preventing Squid from restarting, which would confuse systemd.
>
> http_access allow manager localhost
> http_access deny manager
> #http_access allow purge localhost
> #http_access deny purge
Please move the below two lines up to be the very first http_access
lines in your config. Part of their purpose is to protect against some
DoS conditions which can cause exactly this type of overload on headers.
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_PORTS
>
> http_access deny all
>
> dead_peer_timeout 20 seconds
> strip_query_terms on
> debug_options ALL,1 33,2 28,9
> coredump_dir /var/spool/squid3
> ftp_passive on
> ftp_sanitycheck off
> ftp_telnet_protocol off
> read_ahead_gap 1 MB
> positive_dns_ttl 6 hours
> forward_max_tries 25
>
>
> ############################################################################
> #*************************Log********************************#
> ############################################################################
>
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
> cache_access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> logfile_rotate 0
>
> ############################################################################
> #******************Cache and memory***************************#
> ############################################################################
>
> cache_mem 1024 MB
> maximum_object_size_in_memory 1024 KB
> memory_cache_mode always
> cache_dir aufs /var/spool/squid3 15000 16 256
> maximum_object_size 96 MB
> minimum_object_size 10 KB
> #cache_replacement_policy heap LFUDA
> cache_replacement_policy heap GDSF
> memory_replacement_policy heap GDSF
> #memory_replacement_policy lru
> cache_store_log none
> #log_fqdn off
> log_icp_queries off
> buffered_logs off
> #emulate_httpd_log off
> redirect_rewrites_host_header off
> cache_swap_low 80
> cache_swap_high 95
>
> #===========================================================================
>
> It is really weird, I really don't know how to solve this. I hope my explanation was clear.
>
> For testing purposes, I have another Squid working with the same AD server, and it is going fine: the helper and pinger are executed as you can see here:
>
> root at debian-test-server:/etc/squid3# systemctl status squid3.service
> ● squid3.service - LSB: Squid HTTP Proxy version 3.x
> Loaded: loaded (/etc/init.d/squid3)
> Active: active (running) since lun 2017-02-13 07:35:01 ART; 2 weeks 5 days ago
> Process: 570 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)
> CGroup: /system.slice/squid3.service
> ├─ 1017 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
> ├─ 1020 (squid-1) -YC -f /etc/squid3/squid.conf
> ├─ 1945 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
> ├─ 1968 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1969 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1970 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1971 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1972 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1973 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1974 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─ 1993 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
> ├─ 2029 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
> ├─63477 (pinger)
> ├─63478 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
> ├─63479 (ntlm_auth) --helper-protocol=squid-2.5-basic
> └─63480 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
>
As configured your Squid should be starting exactly 100 of each - no
more, no less. I suspect from both these traces that you dont actually
need 100 of each helper running, or systemd is confused already.
The current Squid versions can auto-start helpers as needed. See the
auth_param and external_acl_type documentation for the max=, startup=
and idle= options. That may help a little, or at least allow you to
configure higher max limits to cope with slow AD periods.
Another possibility is converting to the LDAP group lookup instead of
using the wbinfo tool to do lookups. I know that LDAP does not suffer
from wbind connection limits, which might be part of your issue.
Amos
More information about the squid-users
mailing list