On 21/02/2013 7:20 p.m., Brett Lymn wrote:
Folks, I am running 4 proxy servers with squid 3.1.19 (yes, I know it is old, will update soon) with kerberos authentication behind a F5 load balancer for a user community of about 2000 people using Windows/I.E.. Normally, this all works fine, people can surf the web and authentication happens in background as it should. The issue we are seeing is around once per month at random one of the kerberos authenticators seems to start spamming the life out of the windows AD servers. The event we ID we are seeing on the windows servers is 0xc000006a which translates to, basically, bad password. We seem to get this when a user (not always the same one) changes their password. Clearly, it does not happen every time, we have a password expiry policy in AD so every is forced to change their password regularly so we would be seeing the problem a lot more frequently if it happened every time a user changed their password. It seems to me that there is some sort of race condition going on where, perhaps, the authenticators are doing something while the password is being changed, the authenticators keep using the old details. When this happens the authenticator seems to spin making requests at a very rapid rate, my windows admins tell me there are milliseconds between requests and it fills their logs, also the users account gets locked out due to too many bad passwords. There is nothing in the logs indicating anything is wrong. Is this fixed in a later version? If not, any ideeas on how to troubleshoot?
Can you please try an upgrade to Squid-3.3? There were a lot of things in 3.1 which could lead to this happening. Amos
