[squid-users] ext_wbinfo_group_acl is not working
Verónica Ovando
vero.ovando at live.com
Tue Mar 21 12:04:07 UTC 2017
>> Hi, everybody!
>>
>>
>> I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:
>>
>>
>> 2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.
>>
>
>This means that your AD is not keeping up with the traffic through your
>proxy.
>Since your Squid has children=100 it will queue up to 200 transactions
>waiting for the helper before this message is shown.
>
>
>Dis cache.log have anything else from the external helper? you have
>debug mode enabled (-d) so it should be reporting if there are any
>issues with AD other than simply slowness.
>
>
Yes. I found this:
14:53:48 [root at server squid3]# tail -f /var/log/squid3/cache.log | grep helper
2017/03/16 14:54:19.527 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.
2017/03/16 14:54:19.532 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.
2017/03/16 14:54:20.743 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.
And this:
2017/03/16 14:53:47.887 kid1| Acl.cc(118) FindByName: ACL::FindByName 'it_group'
2017/03/16 14:53:47.887 kid1| Gadgets.cc(71) aclGetDenyInfoPage: got called for it_group
2017/03/16 14:53:48.028 kid1| Acl.cc(157) matches: checking it_group
2017/03/16 14:53:48.028 kid1| Acl.cc(177) matches: checked: it_group = -1
2017/03/16 14:53:48.028 kid1| Gadgets.cc(103) aclIsProxyAuth: aclIsProxyAuth: called for it_group
2017/03/16 14:53:48.028 kid1| Acl.cc(118) FindByName: ACL::FindByName 'it_group'
>>
>> After some research I found this thread http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html and followed the suggestions posted by Amos. But nothing happened.
>>
>> I tried rejoining the server to domain. Everything was fine in that way: wbinfo -u, wbinfo -g and wbinfo -P correctly returns all the users, groups and information of the domain.
>>
>>
>> After restart Squid service, I noticed that neither helper ext_wbinfo_group_acl nor pinger are started:
>>
>>
>> 12:04:01 [root at server ]# systemctl status squid3.service -l
>
>NOTE: do not trust systemd information about Squid-3. The two are not
>compatible and systemd often says incorrect things because it makes
>incorrect assumptions about the squid process(es). Especially if there
>has been a process crash and auto-restart at any point during Squid
>operation.
>
>
>> ● squid3.service - LSB: Squid HTTP Proxy version 3.x
>> Loaded: loaded (/etc/init.d/squid3)
>> Active: active (running) since sáb 2017-03-04 12:04:01 ART; 3s ago
>> Process: 4537 ExecStop=/etc/init.d/squid3 stop (code=exited, status=0/SUCCESS)
>> Process: 4560 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)
>> CGroup: /system.slice/squid3.service
>> ├─4593 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
>> ├─4595 (squid-1) -YC -f /etc/squid3/squid.conf
>> └─4596 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> mar 04 12:04:01 server.mydomain.com squid3[4560]: Starting Squid HTTP Proxy 3.x: squid3
>> 2017/03/04 12:04:01| WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N
>
>Please note the warning and update your config file.
>
>> mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: will start 1 kids
>> mar 04 12:04:01 server.mydomain.com squid3[4593]: Squid Parent: (squid-1) process 4595 started
>> mar 04 12:04:01 server.mydomain.com squid3[4560]: .
>>
>>
>> 12:04:30 [root at server ]# ps fax | grep ext_wbinfo_group_acl
>> 1418 pts/0 S+ 0:00 \_ grep ext_wbinfo_group_acl
>>
>> If I run echo "mydomain\user1 it_group" | /usr/lib/squid3/ext_wbinfo_group_acl -d, it returns
>>
>> Debugging mode ON.
>> Got mydomain\user1 it_group from squid
>> User: -mydomain\user1-
>> Group: -it_group-
>> SID: -S-1-5-21-2290000000-711000000-3300000000-3949-
>> GID: -10006-
>> Sending OK to squid
>> OK
>>
>> What it's a good, because that user belongs to that group. If I change the group name, it returns an ERR.
>>
>> Here is my squid.conf:
>>
>> #===========================================================================
>> http_port 3128
>> visible_hostname proxy.squid
>> cache_mgr server at proxy.com
>> cache_effective_user proxy
>> error_directory /usr/share/squid3/errors/es
>> err_page_stylesheet /etc/squid3/estilo.css
>>
>> ####################################################
>> #******************************Ports*************************************#
>> ####################################################
>>
>> #acl manager proto cache_object
>> #acl all src 0.0.0.0/0.0.0.0
>> #acl localhost src 127.0.0.1/32
>> acl SSL_ports port 443
>> acl Safe_ports port 80
>> acl Safe_ports port 21
>> acl Safe_ports port 443
>> acl Safe_ports port 70 #prot gopher
>> acl Safe_ports port 210 #whais
>> acl Safe_ports port 280 #http-mgmt
>> acl Safe_ports port 488 #gss-http
>> acl Safe_ports port 591 #filemaker
>> acl Safe_ports port 8080
>> acl Safe_ports port 2481
>> acl Safe_ports port 20010
>> acl Safe_ports port 777 #multi http
>> #acl purge method PURGE
>> acl CONNECT method CONNECT
>>
>> acl_uses_indirect_client on
>> delay_pool_uses_indirect_client on
>> log_uses_indirect_client on
>>
>>
>> ##############################################################
>> #*******************Active Directory HELPERS**************************#
>> ##############################################################
>>
>> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> auth_param ntlm children 100
>> auth_param ntlm keep_alive off
>>
>> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> auth_param basic children 100
>> auth_param basic realm Servidor proxy-cache
>> auth_param basic credentialsttl 2 hours
>>
>>
>> #######################################################################
>> #****************************ACL******************************************#
>> ###########################################################################
>>
>> #---------------------------ACL Active Directory------------------------#
>> external_acl_type Grupos_AD ttl=10 negative_ttl=10 children=100 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d
>> acl it_group external Grupos_AD it_group
>>
>> ------------------Acceso sólo a usuarios autenticados--------------------#
>> acl auth proxy_auth REQUIRED
>> http_access deny !auth
>>
>> #-----------------------------Grupo *it_group*----------------------------#
>> http_access allow it_group allow
>
>What is this extra "allow" on the end of the line for?
>
>I dont see any ACL named "allow" in the above config. So that may be
>preventing Squid from restarting, which would confuse systemd.
>
>
This is only a mistake. ACL "allow" does not exist. So it should be:
#-----------------------------Grupo *it_group*----------------------------#
http_access allow it_group
>>
>> http_access allow manager localhost
>> http_access deny manager
>> #http_access allow purge localhost
>> #http_access deny purge
>
>Please move the below two lines up to be the very first http_access
>lines in your config. Part of their purpose is to protect against some
>DoS conditions which can cause exactly this type of overload on headers.
>
I'll move it.
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_PORTS
>>
>> http_access deny all
>>
>> dead_peer_timeout 20 seconds
>> strip_query_terms on
>> debug_options ALL,1 33,2 28,9
>> coredump_dir /var/spool/squid3
>> ftp_passive on
>> ftp_sanitycheck off
>> ftp_telnet_protocol off
>> read_ahead_gap 1 MB
>> positive_dns_ttl 6 hours
>> forward_max_tries 25
>>
>>
>> ############################################################################
>> #*************************Log********************************#
>> ############################################################################
>>
>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
>> cache_access_log /var/log/squid3/access.log
>> cache_log /var/log/squid3/cache.log
>> logfile_rotate 0
>>
>> ############################################################################
>> #******************Cache and memory***************************#
>> ############################################################################
>>
>> cache_mem 1024 MB
>> maximum_object_size_in_memory 1024 KB
>> memory_cache_mode always
>> cache_dir aufs /var/spool/squid3 15000 16 256
>> maximum_object_size 96 MB
>> minimum_object_size 10 KB
>> #cache_replacement_policy heap LFUDA
>> cache_replacement_policy heap GDSF
>> memory_replacement_policy heap GDSF
>> #memory_replacement_policy lru
>> cache_store_log none
>> #log_fqdn off
>> log_icp_queries off
>> buffered_logs off
>> #emulate_httpd_log off
>> redirect_rewrites_host_header off
>> cache_swap_low 80
>> cache_swap_high 95
>>
>> #===========================================================================
>>
>> It is really weird, I really don't know how to solve this. I hope my explanation was clear.
>>
>> For testing purposes, I have another Squid working with the same AD server, and it is going fine: the helper and pinger are executed as you can see here:
>>
>> root at debian-test-server:/etc/squid3# systemctl status squid3.service
>> ● squid3.service - LSB: Squid HTTP Proxy version 3.x
>> Loaded: loaded (/etc/init.d/squid3)
>> Active: active (running) since lun 2017-02-13 07:35:01 ART; 2 weeks 5 days ago
>> Process: 570 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS)
>> CGroup: /system.slice/squid3.service
>> ├─ 1017 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
>> ├─ 1020 (squid-1) -YC -f /etc/squid3/squid.conf
>> ├─ 1945 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
>> ├─ 1968 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1969 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1970 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1971 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1972 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1973 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1974 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─ 1993 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
>> ├─ 2029 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
>> ├─63477 (pinger)
>> ├─63478 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN
>> ├─63479 (ntlm_auth) --helper-protocol=squid-2.5-basic
>> └─63480 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d
>>
>
>As configured your Squid should be starting exactly 100 of each - no
>more, no less. I suspect from both these traces that you dont actually
>need 100 of each helper running, or systemd is confused already.
>
>The current Squid versions can auto-start helpers as needed. See the
>auth_param and external_acl_type documentation for the max=, startup=
>and idle= options. That may help a little, or at least allow you to
>configure higher max limits to cope with slow AD periods.
>
>
>
I tried with those params but nothing happens. The helper doesn't auto-start.
external_acl_type Grupos_AD ttl=10 children-max=10 children-startup=10 children-idle=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d
And as suggested in the Squid wiki http://www.squid-cache.org/Doc/config/auth_param/, I used this values for:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=RENTAS
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5 startup=5 idle=1
auth_param basic realm DPR-proxy
auth_param basic credentialsttl 2 hours
>Another possibility is converting to the LDAP group lookup instead of
>using the wbinfo tool to do lookups. I know that LDAP does not suffer
>from wbind connection limits, which might be part of your issue.
>
>Amos
>
Please Amos provide me further guidance. Cannot find a solution to this. Thanks!
--
Verónica Ovando
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170321/041ffc4a/attachment-0001.html>
More information about the squid-users
mailing list