[squid-users] ext_wbinfo_group_acl is not working
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 22 03:23:21 UTC 2017
On 22/03/2017 1:04 a.m., VerĂ³nica Ovando wrote:
>>> Hi, everybody!
>>>
>>>
>>> I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:
>>>
>>>
>>> 2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.
>>>
>>
>> This means that your AD is not keeping up with the traffic through your
>> proxy.
>> Since your Squid has children=100 it will queue up to 200 transactions
>> waiting for the helper before this message is shown.
>>
>>
>> Dis cache.log have anything else from the external helper? you have
>> debug mode enabled (-d) so it should be reporting if there are any
>> issues with AD other than simply slowness.
>>
>>
>
> Yes. I found this:
> 14:53:48 [root at server squid3]# tail -f /var/log/squid3/cache.log | grep helper
> 2017/03/16 14:54:19.527 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.
> 2017/03/16 14:54:19.532 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.
> 2017/03/16 14:54:20.743 kid1| Acl.cc(62) AuthenticateAcl: returning 2 sending credentials to helper.
>
> And this:
> 2017/03/16 14:53:47.887 kid1| Acl.cc(118) FindByName: ACL::FindByName 'it_group'
> 2017/03/16 14:53:47.887 kid1| Gadgets.cc(71) aclGetDenyInfoPage: got called for it_group
> 2017/03/16 14:53:48.028 kid1| Acl.cc(157) matches: checking it_group
> 2017/03/16 14:53:48.028 kid1| Acl.cc(177) matches: checked: it_group = -1
> 2017/03/16 14:53:48.028 kid1| Gadgets.cc(103) aclIsProxyAuth: aclIsProxyAuth: called for it_group
> 2017/03/16 14:53:48.028 kid1| Acl.cc(118) FindByName: ACL::FindByName 'it_group'
>
Hmm. These lines are still from Squid itself. Note the "kid" portion of
the line entry is only produced by Squid.
I'm not sure about debug on the Samba helper, but debug lines from
helpers will usually show up either no timestamp, maybe with a different
timestamp format, and maybe the helpers binary name where the kid part is.
Anyhow, the above lines seem to indicate the group checking it being
done. Or at least started. Which matches what you said earlier, they are
starting but may be overloading.
<snip>
>>
>> The current Squid versions can auto-start helpers as needed. See the
>> auth_param and external_acl_type documentation for the max=, startup=
>> and idle= options. That may help a little, or at least allow you to
>> configure higher max limits to cope with slow AD periods.
>>
>>
>>
>
> I tried with those params but nothing happens. The helper doesn't auto-start.
> external_acl_type Grupos_AD ttl=10 children-max=10 children-startup=10 children-idle=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d
>
> And as suggested in the Squid wiki http://www.squid-cache.org/Doc/config/auth_param/, I used this values for:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=RENTAS
> auth_param ntlm children 20 startup=0 idle=1
> auth_param ntlm keep_alive off
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5 startup=5 idle=1
> auth_param basic realm DPR-proxy
> auth_param basic credentialsttl 2 hours
>
>> Another possibility is converting to the LDAP group lookup instead of
>> using the wbinfo tool to do lookups. I know that LDAP does not suffer
>>from wbind connection limits, which might be part of your issue.
>>
>> Amos
>>
> Please Amos provide me further guidance. Cannot find a solution to this. Thanks!
I'm stuck myself now. The info you ave been able to provide does not
seem to contain any useful clues about what the problem might be other
than just the helper queue overloading. It has been a long time since I
went near the Windows stuff so memory has paged out sorry :-(.
Maybe raising the helpers max limit? with these 5 and 10 helper limits I
would expect Squid to only be able to handle 20-150 requests per second.
I usually advice using a limit of ~200 helpers for NTLM related things,
a bit more if you have a busy proxy. The point of the new
max/startup/idle feature is that you can set the startup value low and a
much higher maximum.
One other thing that might help is; with that starup=0 you should not
see any NTLM auth helpers immediately after starting Squid. The first
ntlm_auth helper is only started (from idle=1) when the first HTTP
request that needs credential checking is received. Your checks will
need to take that into consideration.
(I suspect systemd may not be able to track helpers which are started
after the initial startup process is completed.)
Amos
More information about the squid-users
mailing list