Re: Problem with SQUID_KERB_LDAP

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Can you run squid_kerb_ldap with strace -f -F to see when the permission 
deny happens ?  Just write a script squid_kerb_ldap_sh

#/bin/sh
strace -f -F -o /tmp/strace.out.$$ squid_kerb_ldap $*

and change your config file to use that script.

/tmp/strace.out.xxx should show where the permission deny happens.

Markus


"Ralf Fruehauf" <r.fruehwacht@xxxxxxxxxxxxxx> wrote in message 
news:ff35590e1002040513w14aad3b2v3559e4682f6fa6a@xxxxxxxxxxxxxxxxx
> Hi squid users,
>
> i installed squid after this how-to guide:
>
> http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp/105857#105857
>   (Getting Squid to authenticate with kerberos and Windows
> 2008/2003/7/XP)
>
> Domain/Server Info:
>
> Domain Name: homebase.local
> Squid Server: squid 192.168.100.55
> windows server 2008: srv-ads-001 192.168.100.130
>
> DNS Name Resolution is working in both directions.
>
>
> If i start the squid init script, squid tries to start, but i get the
> following error message
> in the cache.log :
>
> 2010/02/03 19:55:25| Starting Squid Cache version 3.0.STABLE18 for
> i686-pc-linux-gnu...
> 2010/02/03 19:55:25| Process ID 2470
> 2010/02/03 19:55:25| With 1024 file descriptors available
> 2010/02/03 19:55:25| DNS Socket created at 0.0.0.0, port 54300, FD 7
> 2010/02/03 19:55:25| Adding domain homebase.local from /etc/resolv.conf
> 2010/02/03 19:55:25| Adding domain homebase.local from /etc/resolv.conf
> 2010/02/03 19:55:25| Adding nameserver 192.168.100.130 from 
> /etc/resolv.conf
> 2010/02/03 19:55:25| Adding nameserver 192.168.100.1 from /etc/resolv.conf
> 2010/02/03 19:55:25| Adding nameserver 192.168.100.254 from 
> /etc/resolv.conf
> 2010/02/03 19:55:25| helperOpenServers: Starting 10/10
> 'squid_kerb_auth' processes
> 2010/02/03 19:55:25| helperOpenServers: Starting 5/5 'squid_kerb_ldap' 
> processes
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| Unlinkd pipe opened on FD 27
> 2010/02/03 19:55:26| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
> 2010/02/03 19:55:26| Target number of buckets: 425
> 2010/02/03 19:55:26| Using 8192 Store buckets
> 2010/02/03 19:55:26| Max Mem  size: 8192 KB
> 2010/02/03 19:55:26| Max Swap size: 102400 KB
> 2010/02/03 19:55:26| Rebuilding storage in /var/cache/squid-3.0 (DIRTY)
> 2010/02/03 19:55:26| Using Least Load store dir selection
> 2010/02/03 19:55:26| chdir: /opt/squid-3.0/var/cache: (2) No such file
> or directory
> 2010/02/03 19:55:26| Current Directory is /
> 2010/02/03 19:55:26| Loaded Icons.
> 2010/02/03 19:55:26| Accepting  HTTP connections at 0.0.0.0, port 3128, FD 
> 28.
> 2010/02/03 19:55:26| Accepting ICP messages at 0.0.0.0, port 3130, FD 29.
> 2010/02/03 19:55:26| HTCP Disabled.
> 2010/02/03 19:55:26| Ready to serve requests.
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #1 (FD 19) exited
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #2 (FD 20) exited
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #3 (FD 21) exited
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #4 (FD 22) exited
> 2010/02/03 19:55:26| Too few SQUID_KERB_LDAP processes are running
> FATAL: The SQUID_KERB_LDAP helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.0.STABLE18): Terminated abnormally.
> CPU Usage: 0.404 seconds = 0.004 user + 0.400 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
>       total space in arena:    2984 KB
>       Ordinary blocks:         2970 KB      3 blks
>       Small blocks:               0 KB      0 blks
>       Holding blocks:          1508 KB      7 blks
>       Free Small blocks:          0 KB
>       Free Ordinary blocks:      13 KB
>       Total in use:            4478 KB 150%
>       Total free:                13 KB 0%
>
> ________________________________________________________________________________________________
>
> The user squid has however rights on this folder:
>
>   squid:/opt/squid-3.0/sbin# la
>   insgesamt 9,2M
>   drwxr-xr-x 3 squid squid 1,0K  7. Jan 21:02 .
>   drwxr-xr-x 8 squid squid 1,0K 20. Jan 21:02 ..
>   -rwxr-xr-x 1 squid squid 9,2M  3. Nov 23:16 squid
>   -rwxr-xr-x 1 squid squid  31K  7. Jan 21:02 squid_kerb_auth
>   drwxrwxrwx 5 squid squid 1,0K  3. Nov 23:56 squid_kerb_ldap
>   squid:/opt/squid-3.0/sbin#
> ________________________________________________________________________________________________
>
> Here is my squid.conf:
>
>   auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth
> -d -s HTTP/squid.homebase.local
>   auth_param negotiate children 10
>   auth_param negotiate keep_alive on
>
>   external_acl_type SQUID_KERB_LDAP ttl=3600  negative_ttl=3600
> %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS
>   acl AUTHENTICATED proxy_auth REQUIRED
>   acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP
>   acl localnet src 192.168.100.0/24        # RFC1918 possible internal 
> network
>
>   http_access allow LDAP_GROUP_CHECK
>
>
>   acl manager proto cache_object
>   acl localhost src 127.0.0.1/32
>   acl to_localhost dst 127.0.0.0/8
>   acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
>   acl localnet src 172.16.0.0/12   # RFC1918 possible internal network
>
>   acl SSL_ports port 443
>   acl Safe_ports port 80      # http
>   acl Safe_ports port 21      # ftp
>   acl Safe_ports port 443      # https
>   acl Safe_ports port 70      # gopher
>   acl Safe_ports port 210      # wais
>   acl Safe_ports port 1025-65535   # unregistered ports
>   acl Safe_ports port 280      # http-mgmt
>   acl Safe_ports port 488      # gss-http
>   acl Safe_ports port 591      # filemaker
>   acl Safe_ports port 777      # multiling http
>   acl CONNECT method CONNECT
>
>   http_access allow manager localhost
>   http_access deny manager
>   http_access deny !Safe_ports
>
>   http_access deny CONNECT !SSL_ports
>   http_access deny all
>
>   icp_access allow localnet
>   icp_access deny all
>
>   htcp_access allow localnet
>   htcp_access deny all
>
>
>   http_port 3128
>
>   cache_dir ufs /var/cache/squid-3.0 100 16 256
>   access_log /var/log/squid-3.0/access.log squid
>   cache_log /var/log/squid-3.0/cache.log
>   cache_store_log /var/log/squid-3.0/store.log
>
>   pid_filename /var/run/squid-3.0.pid
>
>   refresh_pattern ^ftp:      1440   20%   10080
>   refresh_pattern ^gopher:   1440   0%   1440
>   refresh_pattern (cgi-bin|\?)   0   0%   0
>   refresh_pattern .      0   20%   4320
>
>   cache_effective_user squid
>   cache_effective_group squid
>
> ________________________________________________________________________________________________
>
>
>
> After start the init script, i check the status immediately with htop,
> and for a short moment,
> htop show me the last 6 lines with:
>
> (squid_kerb_auth) -d -s HTTP/squid.homebase.local
>
> What do I have to make, to solve the problem?
>
> Thanks for any ideas.
>
> Bye,
>
> Rainer