Chris Robertson wrote:
Luciano Sousa wrote:
Chris,
the squid denies access yes, see below:
I shut down the computer normally yesterday evening ...
this morning when I called the computer performed the following
procedures
in a .sh file:
RunCache &
RunAccel &
squid
You are effectively starting Squid THREE TIMES here. Further, RunCache
seems to be deprecated (and RunAccel for that matter) and will no longer
be bundled starting with Squid3.1. I'd advise against using them
my acces.log
2009/04/16 08:52:51| Squid Cache (Version 3.0.STABLE13): Exiting
normally.
2009/04/16 08:53:01| Starting Squid Cache version 3.0.STABLE13 for
i686-pc-linux-gnu...
2009/04/16 08:53:01| Process ID 2854
2009/04/16 08:53:01| With 1024 file descriptors available
2009/04/16 08:53:01| Performing DNS Tests...
2009/04/16 08:53:01| Successful DNS name lookup tests...
2009/04/16 08:53:01| DNS Socket created at 0.0.0.0, port 42522, FD 6
2009/04/16 08:53:01| Adding domain cashinfo from /etc/resolv.conf
2009/04/16 08:53:01| Adding nameserver 192.168.1.254 from
/etc/resolv.conf
2009/04/16 08:53:01| helperStatefulOpenServers: Starting 5 'ntlm_auth'
processes
2009/04/16 08:53:01| helperOpenServers: Starting 5 'wbinfo_group.pl'
processes
[2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
could not obtain winbind domain name!
SNIP
2009/04/16 08:54:05| authenticateNTLMHandleReply: Error validating
user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
in this moment the acces to sites is blocked.
Right. Authentication is not working.
i did the following procedures:
# kinit administrador@xxxxxxxxxxxx
# net ads join -U administrador -S domain.local # smbd #winbindd
Was there any indication of success...?
and, this acces to sites continues blocked with the error in access.log:
2009/04/16 08:51:19| helperStatefulOpenServers: Starting 5 'ntlm_auth'
processes
2009/04/16 08:51:19| helperOpenServers: Starting 5 'wbinfo_group.pl'
processes
[2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
could not obtain winbind domain name!
Because it didn't seem to work.
finally, i did the following procedures:
# rm -rf /usr/local/squid/cache/*
This should really only be performed if Squid is not running. An then
only if something is really messed up with your cache.
# squid -k kill
# squid -z
# chmod 777 /usr/local/squid/cache/*
This is not needed (and insecure) as if Squid has permission to create
the directory structure under /usr/local/squid.cache it will do so with
all the permissions it needs.
Indeed, drop them and the rm above completely. Should only be done
manually at times of great need.
# squid
# RunCache
# RunAccel
At the top of this message, you ran the last three commands in the
opposite order. Perhaps that's a clue...
It is and a major one....
RunCache + RunAccel perform tests to see if squid is already running and
not start it twice.
Doing even this order:
RunCache
squid
means:
RunCache - will start squid (non already running) with successful log
info goes to a cache.log
squid - will unconditionally try to start a second squid ... and
overwrite the cache.log from RunCache with new failed startup info, or
at best-case will append start up failures at the end..
<snip>
how should I proceed?
Find a recent Squid init script for your your distribution, or baring
that just start squid (and ONLY squid, not RunCache or RunAccel) from
/etc/rc.local. See if that runs better. Clearing the cache as a means
of fixing broken authentication is... Uh... Probably not the correct
path to follow.
Chris
what Chris said :)
PS: RunCache is deprecated, because its capability is now built into
squid, both 2.6+ and 3.0+.
I'm not actually at this point planning to remove it from 3.1, but its
on the books for one of the future releases unless someone has a good
use-case for keeping it.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7
