Re: RES: squid cache problem

[Chris Robertson <crobertson@xxxxxxx>]

Luciano Sousa wrote:
> Chris,
> the squid denies access yes, see below:
>
> I shut down the computer normally yesterday evening ...
> this morning when I called the computer performed the following procedures
> in a .sh file:
>
> RunCache &
> RunAccel &
> squid
>   

You are effectively starting Squid THREE TIMES here.  Further, RunCache 
seems to be deprecated (and RunAccel for that matter) and will no longer 
be bundled starting with Squid3.1.  I'd advise against using them

> my acces.log
> 2009/04/16 08:52:51| Squid Cache (Version 3.0.STABLE13): Exiting normally.
> 2009/04/16 08:53:01| Starting Squid Cache version 3.0.STABLE13 for
> i686-pc-linux-gnu...
> 2009/04/16 08:53:01| Process ID 2854
> 2009/04/16 08:53:01| With 1024 file descriptors available
> 2009/04/16 08:53:01| Performing DNS Tests...
> 2009/04/16 08:53:01| Successful DNS name lookup tests...
> 2009/04/16 08:53:01| DNS Socket created at 0.0.0.0, port 42522, FD 6
> 2009/04/16 08:53:01| Adding domain cashinfo from /etc/resolv.conf
> 2009/04/16 08:53:01| Adding nameserver 192.168.1.254 from /etc/resolv.conf
> 2009/04/16 08:53:01| helperStatefulOpenServers: Starting 5 'ntlm_auth'
> processes
> 2009/04/16 08:53:01| helperOpenServers: Starting 5 'wbinfo_group.pl'
> processes
> [2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
>   could not obtain winbind domain name!

SNIP

> 2009/04/16 08:54:05| authenticateNTLMHandleReply: Error validating user via
> NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
>
> in this moment the acces to sites is blocked.
>   

Right.  Authentication is not working.

> i did the following procedures:
> # kinit administrador@xxxxxxxxxxxx
> # net ads join -U administrador -S domain.local # smbd #winbindd
>   

Was there any indication of success...?

> and, this acces to sites continues blocked with the error in access.log:
>
> 2009/04/16 08:51:19| helperStatefulOpenServers: Starting 5 'ntlm_auth'
> processes
> 2009/04/16 08:51:19| helperOpenServers: Starting 5 'wbinfo_group.pl'
> processes
> [2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
>   could not obtain winbind domain name!

Because it didn't seem to work.

> finally, i did the following procedures:
>
> # rm -rf /usr/local/squid/cache/*
>   

This should really only be performed if Squid is not running.  An then 
only if something is really messed up with your cache.

> # squid -k kill
> # squid -z
> # chmod 777 /usr/local/squid/cache/*
>   

This is not needed (and insecure) as if Squid has permission to create 
the directory structure under /usr/local/squid.cache it will do so with 
all the permissions it needs.

> # squid
> # RunCache
> # RunAccel
>   

At the top of this message, you ran the last three commands in the 
opposite order.  Perhaps that's a clue...

> and in the access.log:
>
> 2009/04/16 08:54:53| Starting Squid Cache version 3.0.STABLE13 for
> i686-pc-linux-gnu...
> 2009/04/16 08:54:53| Process ID 2891
> 2009/04/16 08:54:53| With 1024 file descriptors available
> 2009/04/16 08:54:53| Performing DNS Tests...
> 2009/04/16 08:54:53| Successful DNS name lookup tests...
> 2009/04/16 08:54:53| DNS Socket created at 0.0.0.0, port 55366, FD 6
> 2009/04/16 08:54:53| Adding domain cashinfo from /etc/resolv.conf
> 2009/04/16 08:54:53| Adding nameserver 192.168.1.254 from /etc/resolv.conf
> 2009/04/16 08:54:53| helperStatefulOpenServers: Starting 5 'ntlm_auth'
> processes
> 2009/04/16 08:54:53| helperOpenServers: Starting 5 'wbinfo_group.pl'
> processes
> 2009/04/16 08:54:53| Unlinkd pipe opened on FD 22
> 2009/04/16 08:54:53| Swap maxSize 1536000 KB, estimated 118153 objects
> 2009/04/16 08:54:53| Target number of buckets: 5907
> 2009/04/16 08:54:53| Using 8192 Store buckets
> 2009/04/16 08:54:53| Max Mem  size: 512000 KB
> 2009/04/16 08:54:53| Max Swap size: 1536000 KB
> 2009/04/16 08:54:53| Rebuilding storage in /usr/local/squid/cache (DIRTY)
> 2009/04/16 08:54:53| Using Least Load store dir selection
> 2009/04/16 08:54:53| Current Directory is /
> 2009/04/16 08:54:53| Loaded Icons.
> 2009/04/16 08:54:53| Accepting  HTTP connections at 0.0.0.0, port 3128, FD
> 23.
> 2009/04/16 08:54:53| Accepting ICP messages at 0.0.0.0, port 3128, FD 24.
> 2009/04/16 08:54:53| HTCP Disabled.
> 2009/04/16 08:54:53| Ready to serve requests.
> 2009/04/16 08:54:54| Done scanning /usr/local/squid/cache swaplog (0
> entries)
> 2009/04/16 08:54:54| Finished rebuilding storage from disk.
> 2009/04/16 08:54:54|         0 Entries scanned
> 2009/04/16 08:54:54|         0 Invalid entries.
> 2009/04/16 08:54:54|         0 With invalid flags.
> 2009/04/16 08:54:54|         0 Objects loaded.
> 2009/04/16 08:54:54|         0 Objects expired.
> 2009/04/16 08:54:54|         0 Objects cancelled.
> 2009/04/16 08:54:54|         0 Duplicate URLs purged.
> 2009/04/16 08:54:54|         0 Swapfile clashes avoided.
> 2009/04/16 08:54:54|   Took 1.10 seconds (  0.00 objects/sec).
> 2009/04/16 08:54:54| Beginning Validation Procedure
> 2009/04/16 08:54:54|   Completed Validation Procedure
> 2009/04/16 08:54:54|   Validated 25 Entries
> 2009/04/16 08:54:54|   store_swap_size = 0
> 2009/04/16 08:54:54| storeLateRelease: released 0 objects
> 2009/04/16 08:54:58| Squid is already running!  Process ID 2891
>   

Squid is already running.  No great surprise there.

> 2009/04/16 08:55:01| Squid is already running!  Process ID 2891
> 2009/04/16 08:55:06| Squid is already running!  Process ID 2891
> 2009/04/16 09:55:20| WARNING: All ntlmauthenticator processes are busy.
> 2009/04/16 09:55:20| WARNING: 5 pending requests queued
> 2009/04/16 09:55:20| Consider increasing the number of ntlmauthenticator
> processes in your config file.
> 2009/04/16 10:38:36.253| connReadWasError: FD 27: got flag -1
> 2009/04/16 10:39:44.805| connReadWasError: FD 35: got flag -1
> 2009/04/16 10:47:59.235| connReadWasError: FD 50: got flag -1
> 2009/04/16 10:54:59.238| connReadWasError: FD 25: got flag -1
> 2009/04/16 10:55:02.321| connReadWasError: FD 33: got flag -1
> 2009/04/16 11:10:59.048| connReadWasError: FD 30: got flag -1
> 2009/04/16 11:11:07.158| connReadWasError: FD 52: got flag -1
> 2009/04/16 11:11:20.714| connReadWasError: FD 53: got flag -1
> 2009/04/16 11:44:55.833| connReadWasError: FD 25: got flag -1
> 2009/04/16 11:44:55.841| connReadWasError: FD 34: got flag -1
> 2009/04/16 11:44:55.842| connReadWasError: FD 30: got flag -1
> 2009/04/16 11:45:11.604| connReadWasError: FD 33: got flag -1
> 2009/04/16 11:45:11.616| connReadWasError: FD 35: got flag -1
> 2009/04/16 11:45:11.629| connReadWasError: FD 34: got flag -1
> 2009/04/16 11:45:15.782| connReadWasError: FD 38: got flag -1
> 2009/04/16 11:45:15.783| connReadWasError: FD 39: got flag -1
> 2009/04/16 11:45:15.792| connReadWasError: FD 40: got flag -1
> 2009/04/16 12:37:08.458| connReadWasError: FD 30: got flag -1
>
>
> what i do;
>
> remove the .sh to boot;
> create a new .sh for starter the squid, because if the computer is
> disconnected in a way inappropriate, when it is switched on the squid will
> run normally ...
> how should I proceed?

Find a recent Squid init script for your your distribution, or baring 
that just start squid (and ONLY squid, not RunCache or RunAccel) from 
/etc/rc.local.  See if that runs better.  Clearing the cache as a means 
of fixing broken authentication is...  Uh...  Probably not the correct 
path to follow.

Chris