squid 3.2.0.5 - keeps reloading itself when using kerberos or ntlm authentication

guest01 <guest01@xxxxxxxxx> · Mon, 14 Feb 2011 14:34:30 +0100

Hi guys,

For testing purposes I tried squid 3.2.0.5 beta. After a couple of
smaller issues I ran into a bigger one which I will share with you :-)

I compiled squid 3.2.0.5 beta on RHEL5.5 64Bit with following options:
Squid Cache: Version 3.2.0.5
configure options:  '--enable-ssl' '--enable-icap-client'
'--sysconfdir=/etc/squid' '--enable-async-io' '--enable-snmp'
'--enable-poll' '--with-maxfd=32768' '--enable-storeio=aufs'
'--enable-removal-policies=heap,lru' '--enable-epoll'
'--disable-ident-lookups' '--enable-truncate'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-default-user=squid' '--prefix=/opt/squid'
'-enable-negotiate-auth-helpers=squid_kerb_auth'
--enable-ltdl-convenience

Everything is work so far except the kerberos or ntlm authentication.
Ldap authentication is working without problems. If I configure either
kerberos or ntlm, following happens:

2011/02/14 14:09:20 kid1| Starting Squid Cache version 3.2.0.5 for
x86_64-unknown-linux-gnu...
2011/02/14 14:09:20 kid1| Process ID 3923
2011/02/14 14:09:20 kid1| With 16384 file descriptors available
2011/02/14 14:09:20 kid1| Initializing IP Cache...
2011/02/14 14:09:20 kid1| DNS Socket created at 0.0.0.0, FD 9
2011/02/14 14:09:20 kid1| Adding domain domain.tld from /etc/resolv.conf
2011/02/14 14:09:20 kid1| Adding domain domain.tld from /etc/resolv.conf
2011/02/14 14:09:20 kid1| Adding nameserver 10.14.32.54 from /etc/resolv.conf
2011/02/14 14:09:20 kid1| Adding nameserver 10.14.32.122 from /etc/resolv.conf
2011/02/14 14:09:20 kid1| helperOpenServers: Starting 0/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:20 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2011/02/14 14:09:20 kid1| Logfile: opening log
/var/log/squid/access_xlsqit01_1.log
2011/02/14 14:09:20 kid1| Unlinkd pipe opened on FD 14
2011/02/14 14:09:20 kid1| Store logging disabled
2011/02/14 14:09:20 kid1| Swap maxSize 0 + 786432 KB, estimated 60494 objects
2011/02/14 14:09:20 kid1| Target number of buckets: 3024
2011/02/14 14:09:20 kid1| Using 8192 Store buckets
2011/02/14 14:09:20 kid1| Max Mem  size: 786432 KB
2011/02/14 14:09:20 kid1| Max Swap size: 0 KB
2011/02/14 14:09:20 kid1| Using Least Load store dir selection
2011/02/14 14:09:20 kid1| Set Current Directory to /cache/squid/xlsqit01_1
2011/02/14 14:09:20 kid1| Loaded Icons.
2011/02/14 14:09:20 kid1| HTCP Disabled.
2011/02/14 14:09:20 kid1| Squid plugin modules loaded: 0
2011/02/14 14:09:20 kid1| Adaptation support is on
2011/02/14 14:09:20 kid1| Ready to serve requests.
2011/02/14 14:09:20 kid1| Accepting bumpyHTTP Socket connections at
FD 15 on 10.122.125.2:3128
2011/02/14 14:09:20 kid1| Accepting interceptedHTTP Socket connections
at  FD 16 on 10.122.125.2:3129
2011/02/14 14:09:20 kid1| Accepting interceptedHTTPS Socket
connections at  FD 17 on 10.122.125.2:3130
2011/02/14 14:09:20 kid1| Accepting SNMP messages on 10.122.125.2:161, FD 18.
2011/02/14 14:09:20 kid1| Outgoing SNMP messages on 10.122.125.2:161, FD 19.
2011/02/14 14:09:21 kid1| storeLateRelease: released 0 objects
2011/02/14 14:09:35 kid1| Starting new negotiateauthenticator helpers...
2011/02/14 14:09:35 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:35| negotiate_kerberos_auth: INFO: User THATSME authenticated
2011/02/14 14:09:35 kid1| Starting new negotiateauthenticator helpers...
2011/02/14 14:09:35 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:35 kid1| Starting new negotiateauthenticator helpers...
2011/02/14 14:09:35 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:35| negotiate_kerberos_auth: INFO: User THATSME authenticated
2011/02/14 14:09:35 kid1| assertion failed: User.cc:103:
"from->RefCountCount() == 2"
2011/02/14 14:09:35| negotiate_kerberos_auth: INFO: User THATSME authenticated
2011/02/14 14:09:35| negotiate_kerberos_auth: INFO: User THATSME authenticated
2011/02/14 14:09:38 kid1| Starting Squid Cache version 3.2.0.5 for
x86_64-unknown-linux-gnu...
2011/02/14 14:09:38 kid1| Process ID 3969
2011/02/14 14:09:38 kid1| With 16384 file descriptors available
2011/02/14 14:09:38 kid1| Initializing IP Cache...
2011/02/14 14:09:38 kid1| DNS Socket created at 0.0.0.0, FD 9
2011/02/14 14:09:38 kid1| Adding domain domain.tld from /etc/resolv.conf
2011/02/14 14:09:38 kid1| Adding domain domain.tld from /etc/resolv.conf
2011/02/14 14:09:38 kid1| Adding nameserver 10.14.32.54 from /etc/resolv.conf
2011/02/14 14:09:38 kid1| Adding nameserver 10.14.32.122 from /etc/resolv.conf
2011/02/14 14:09:38 kid1| helperOpenServers: Starting 0/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:38 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2011/02/14 14:09:38 kid1| Logfile: opening log
/var/log/squid/access_xlsqit01_1.log
2011/02/14 14:09:39 kid1| Unlinkd pipe opened on FD 14
2011/02/14 14:09:39 kid1| Store logging disabled
2011/02/14 14:09:39 kid1| Swap maxSize 0 + 786432 KB, estimated 60494 objects
2011/02/14 14:09:39 kid1| Target number of buckets: 3024
2011/02/14 14:09:39 kid1| Using 8192 Store buckets
2011/02/14 14:09:39 kid1| Max Mem  size: 786432 KB
2011/02/14 14:09:39 kid1| Max Swap size: 0 KB
2011/02/14 14:09:39 kid1| Using Least Load store dir selection
2011/02/14 14:09:39 kid1| Set Current Directory to /cache/squid/xlsqit01_1
2011/02/14 14:09:39 kid1| Loaded Icons.
2011/02/14 14:09:39 kid1| HTCP Disabled.
2011/02/14 14:09:39 kid1| Squid plugin modules loaded: 0
2011/02/14 14:09:39 kid1| Adaptation support is on
2011/02/14 14:09:39 kid1| Ready to serve requests.
2011/02/14 14:09:39 kid1| Accepting bumpyHTTP Socket connections at
FD 15 on 10.122.125.2:3128
2011/02/14 14:09:39 kid1| Accepting interceptedHTTP Socket connections
at  FD 16 on 10.122.125.2:3129
2011/02/14 14:09:39 kid1| Accepting interceptedHTTPS Socket
connections at  FD 17 on 10.122.125.2:3130
2011/02/14 14:09:39 kid1| Accepting SNMP messages on 10.122.125.2:161, FD 18.
2011/02/14 14:09:39 kid1| Outgoing SNMP messages on 10.122.125.2:161, FD 19.
2011/02/14 14:09:40 kid1| storeLateRelease: released 0 objects
2011/02/14 14:09:52 kid1| Starting new negotiateauthenticator helpers...
2011/02/14 14:09:52 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:52| negotiate_kerberos_auth: INFO: User THATSME authenticated
2011/02/14 14:09:55| negotiate_kerberos_auth: INFO: User THATSME authenticated
2011/02/14 14:09:55 kid1| assertion failed: User.cc:103:
"from->RefCountCount() == 2"

2011/02/14 14:09:58 kid1| Starting Squid Cache version 3.2.0.5 for
x86_64-unknown-linux-gnu...
2011/02/14 14:09:58 kid1| Process ID 3981
2011/02/14 14:09:58 kid1| With 16384 file descriptors available
2011/02/14 14:09:58 kid1| Initializing IP Cache...
2011/02/14 14:09:58 kid1| DNS Socket created at 0.0.0.0, FD 9
2011/02/14 14:09:58 kid1| Adding domain domain.tld from /etc/resolv.conf
2011/02/14 14:09:58 kid1| Adding domain domain.tld from /etc/resolv.conf
2011/02/14 14:09:58 kid1| Adding nameserver 10.14.32.54 from /etc/resolv.conf
2011/02/14 14:09:58 kid1| Adding nameserver 10.14.32.122 from /etc/resolv.conf
2011/02/14 14:09:58 kid1| helperOpenServers: Starting 0/20
'negotiate_kerberos_auth' processes
2011/02/14 14:09:58 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2011/02/14 14:09:58 kid1| Logfile: opening log
/var/log/squid/access_xlsqit01_1.log
2011/02/14 14:09:58 kid1| Unlinkd pipe opened on FD 14
2011/02/14 14:09:58 kid1| Store logging disabled
2011/02/14 14:09:58 kid1| Swap maxSize 0 + 786432 KB, estimated 60494 objects
2011/02/14 14:09:58 kid1| Target number of buckets: 3024
2011/02/14 14:09:58 kid1| Using 8192 Store buckets
2011/02/14 14:09:58 kid1| Max Mem  size: 786432 KB
2011/02/14 14:09:58 kid1| Max Swap size: 0 KB
2011/02/14 14:09:58 kid1| Using Least Load store dir selection
2011/02/14 14:09:58 kid1| Set Current Directory to /cache/squid/xlsqit01_1
2011/02/14 14:09:58 kid1| Loaded Icons.
2011/02/14 14:09:58 kid1| HTCP Disabled.
2011/02/14 14:09:58 kid1| Squid plugin modules loaded: 0
2011/02/14 14:09:58 kid1| Adaptation support is on
2011/02/14 14:09:58 kid1| Ready to serve requests.
2011/02/14 14:09:58 kid1| Accepting bumpyHTTP Socket connections at
FD 15 on 10.122.125.2:3128
2011/02/14 14:09:58 kid1| Accepting interceptedHTTP Socket connections
at  FD 16 on 10.122.125.2:3129
2011/02/14 14:09:58 kid1| Accepting interceptedHTTPS Socket
connections at  FD 17 on 10.122.125.2:3130
2011/02/14 14:09:58 kid1| Accepting SNMP messages on 10.122.125.2:161, FD 18.
2011/02/14 14:09:58 kid1| Outgoing SNMP messages on 10.122.125.2:161, FD 19.
2011/02/14 14:09:59 kid1| storeLateRelease: released 0 objects
2011/02/14 14:10:07 kid1| Starting new negotiateauthenticator helpers...
2011/02/14 14:10:07 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
2011/02/14 14:10:07| negotiate_kerberos_auth: INFO: User THATSME authenticated

squid is reloading itself and nothing happens. I figured out that
configured for kerberos or ntlm seems to have changed, e.g.

Squid 3.1:
auth_param negotiate program
/opt/squid/libexec/negotiate_kerberos_auth -s
HTTP/xlsqit01.wien.rbgat.net -r -i

Squid 3.2: -> http://www1.it.squid-cache.org/Versions/v3/3.2/cfgman/auth_param.html
auth_param negotiate program /usr/local/squid/bin/ntlm_auth
--helper-protocol=gss-spnego

I had no ntlm_auth-binary in my squid-dir, so I tried the OS-binary:
auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego

The only thing what happend:
2011/02/14 14:30:08 kid1| storeLateRelease: released 0 objects
ERR
2011/02/14 14:30:23 kid1| Starting new negotiateauthenticator helpers...
2011/02/14 14:30:23 kid1| helperOpenServers: Starting 1/10 'ntlm_auth' processes
ERR

So, to wrap up, what would be a valid kerberos authentication for
Squid 3.2? Do you guys have a working kerberos authentication with
squid 3.2?

thanks
peter