Dear Amos,
i get error :-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 90
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-F6iL9e
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: PROXYAGIT01-K$
-- try_machine_keytab_princ: Trying to authenticate for PROXYAGIT01-K$
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/
proxyagit01.ag-it.com from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for PROXYAGIT01-K$ with
password.
-- create_default_machine_password: Default machine password for
PROXYAGIT01-K$ is proxyagit01-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
try_tls=YES
-- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
-- ~KRB5Context: Destroying Kerberos Context
" msktutil: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Server not found in Kerberos database)"
On Thu, Apr 23, 2015 at 4:41 PM, <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request@xxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
squid-users-owner@xxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. Re: ERR_ONLY_IF_CACHED_MISS and cache digests problem
(Victor Sudakov)
2. GSSAPI problem when try create keytab using msktutil
(kukuh amukti)
3. Re: [squid ] externalAclLookup: 'wbinfo_group_helper' queue
overload. (Jagannath Naidu)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Apr 2015 14:35:24 +0600
From: Victor Sudakov <sudakov@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx, Amos Jeffries
<squid3@xxxxxxxxxxxxx>
Subject: Re: ERR_ONLY_IF_CACHED_MISS and cache digests
problem
Message-ID: <20150423083524.GA92752@xxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
Amos Jeffries wrote:
[dd]
>
> I dont think anything is wrong wth either. Its more a collision in how
> the features work vs the protocols.
>
> Cache Digests (CD) are exchanged periodically and updated approx hourly.
> Also they are based on just the URL. So there is always a gap where they
> may not be accurate for any highly volatile objects, and variant objects
> (using Vary headers) will have a high false-positive rate.
>
> only-if-cached requires the *right now* state of the object to be fresh
> and in cache. It takes account of both the URL and the entire HTTP
> headers. So
>
> The ICP protocol used as a backup to confirm objects existence also
> suffers the same URL basis problem as CD. They work fine for HTTP/1.0
> but HTTP/1.1 features dont fare quite so well.
Thank you Amos, now I understand the mechanics behind this. However,
I'd prefer that users do not receive this frustrating error in a setup
with has nothing inherently wrong about it (especially frustrating is
the fact that they receive the error from the wrong proxy server, not the
one they have configured in the browser settings).
Do I understand correctly that the only way to avoid this error
message is to switch to HTCP (and ditch both ICP and CD)?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@xxxxxxxxxxxxxxxx
------------------------------
Message: 2
Date: Thu, 23 Apr 2015 16:40:44 +0700
From: kukuh amukti <kukuh.amukti@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: GSSAPI problem when try create keytab using
msktutil
Message-ID:
<CAKHWrNFg7vUzmDpDJSpQvMRgc4eTCFONYYUnijyNNZRO2U0zTw@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Dear All,
i've building squid in W2K12 and there is no problem but when i try running
in W2K3,
i get problem when try create keytab with msktutil command to win server
2003.
and when i run msktutil :
msktutil -c -b "OU=WSUS - Server,OU=Astragraphia-ITS" -s
HTTP/proxyagit01.ag-it.com -k /etc/squid3/PROXY.keytab --computer-name
PROXYAGIT-01 --upn HTTP/proxyagit01.ag-it.com --server
svr-resdmn22.ag-it.com --verbose
and get some error
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 90
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-F6iL9e
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: PROXYAGIT01-K$
-- try_machine_keytab_princ: Trying to authenticate for PROXYAGIT01-K$
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/
proxyagit01.ag-it.com from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for PROXYAGIT01-K$ with
password.
-- create_default_machine_password: Default machine password for
PROXYAGIT01-K$ is proxyagit01-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
try_tls=YES
-- ldap_connect: Connecting to LDAP server: svr-resdmn22.ag-it.com
try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
-- ~KRB5Context: Destroying Kerberos Context
in auth.log say " msktutil: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Server not found in Kerberos database)"
what should i do?
thanks,
kukuhga
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/95123d16/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 23 Apr 2015 15:11:09 +0530
From: Jagannath Naidu <jagannath.naidu@xxxxxxxxxxxxxxxxxx>
To: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [squid ] externalAclLookup:
'wbinfo_group_helper' queue overload.
Message-ID:
<CA+8bHvzhgS=-u5zx1a82uWk0jC62qS1HmaUoawn7eW1W43ZHfA@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Hi Amos,
regrets, I am late.
On 21 April 2015 at 09:15, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 20/04/2015 7:31 p.m., Jagannath Naidu wrote:
> > Hi,
> >
> > I am having this issue very frequently. Please help on this.
> >
> > I get these errors randomly, mostly when usage is at very peak. (800
> users)
> >
> >
> > /var/log/squid/cache.log
> >
> > 2015/04/20 12:37:40| externalAclLookup: 'wbinfo_group_helper' queue
> > overload (ch=0x7fc99e2ce518)
>
> What do you think "overload" means?
> The helper is unable to cope with the traffic load being passed to it.
>
> Here is the biggest hint:
> >
> > in /var/log/messages, I get the following errors
> >
> > pr 20 12:59:15 GGNPROXY01 winbindd[1910]: winbindd: Exceeding 200
> client
> > connections, no idle connection found
>
>
>
>
> > Then squid stops working. For squid to start work again, I have to dlete
> > the cache and restart the squid "squid -k reconfigure", and then squid
> > restart.
>
> What Squid version are you using?
>
> my squid version squid-3.1.10-19.el6_4.x86_64
> >
> > squid.conf
> >
> > max_filedesc 17192
> > acl manager proto cache_object
> > acl localhost src 172.16.50.61/24
>
> changed to "acl localhost src 172.16.50.6*1*" already
> You have an entire /24 (256 IPs) assigned to this machine?
>
> I think you need to remove that "/24" part if the *.61 is the local
> machines *public* IP.
>
>
> > http_access allow manager localhost
> > dns_nameservers 172.16.3.34 10.1.2.91
> > acl allowips src 172.16.58.187 172.16.16.192 172.16.58.113 172.16.58.63
> > 172.16.58.98 172.16.60.244 172.16.58.165 172.16.58.157
> > http_access allow allowips
>
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=0
> > children=60 %LOGIN /usr/lib64/squid/wbinfo_group.pl
>
> The above two very mangled config lines are useless. Remove them.
>
> > acl localnet src 172.16.0.0/24
>
changed
> Its a bit strange that none of the localhost machine IPs
> (172.16.50.0-172.16.50.255) are part of the LAN its plugged into
> 172.16.0.0-172.16.0.255.
>
>
> > acl localnet src fc00::/7 # RFC 4193 local private network range
> > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
> > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
>
> Okay you have configured NTLM...
>
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET
>
> ... but twice. With different settings. Only these last ones will have
> any effect.
>
>
> > auth_param ntlm children 600
> > auth_param ntlm keep_alive off
>
> > auth_param negotiate children 150
> > auth_param negotiate keep_alive off
> > visible_hostname GGNPROXY01.HTMEDIA.NET
> > external_acl_type wbinfo_group_helper ttl=0 children=40 %LOGIN
> > /usr/lib64/squid/wbinfo_group.pl -d
> > auth_param negotiate keep_alive off
>
> You have several useless configuration lines for Negotiate auth which is
> not being used in any way. Remove those.
>
>
> > acl Safe_ports port 8080 #https
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > acl auth proxy_auth REQUIRED
> > acl google dstdomain -i "/etc/squid/google_site.com"
> > http_access allow google
> > acl sq1 external wbinfo_group_helper "/etc/squid/HT/sq1"
> > acl sq2 external wbinfo_group_helper "/etc/squid/HT/sq2"
> > acl sq3 external wbinfo_group_helper "/etc/squid/HT/sq3"
> > acl sq4 external wbinfo_group_helper "/etc/squid/HT/sq4"
> > acl sq5 external wbinfo_group_helper "/etc/squid/HT/sq5"
> > acl pro1 external wbinfo_group_helper "/etc/squid/HT/pro1"
> > acl pro2 external wbinfo_group_helper "/etc/squid/HT/pro2"
> > acl pro3 external wbinfo_group_helper "/etc/squid/HT/pro3"
> > acl pro4 external wbinfo_group_helper "/etc/squid/HT/pro4"
> > acl pro5 external wbinfo_group_helper "/etc/squid/HT/pro5"
> > acl pro6 external wbinfo_group_helper "/etc/squid/HT/pro6"
> > acl webvip external wbinfo_group_helper "/etc/squid/HT/webvip"
> > acl allgroup external wbinfo_group_helper "/etc/squid/HT/allgreop"
> > acl restricted external wbinfo_group_helper "/etc/squid/HT/restricted"
> > acl ad_auth proxy_auth REQUIRE
>
> You already have an ACL named "auth" which performs authentication.
> The above line is not useful. Remove it and replace all uses of
> "ad_auth" ACL with "auth" ACL.
>
> > acl allowwebsites dstdomain -i "/blacklists/allowedwebsite/domains"
> > acl allowwebsites_url url_regex -i "/blacklists/allowedwebsite/url"
> > http_access allow allowwebsites
> > http_access allow allowwebsites_url
> > acl shopping dstdomain -i "/etc/squid/shopping.txt"
> > acl social_networking dstdomain -i "/blacklists/social/social.networking"
> > acl youtube dstdomain -i .youtube.com
> > http_access allow Safe_ports pro1 pro2 pro3 pro4 pro5 pro6 webvip
>
> Incorrect use of "Safe_ports" security check. Correct usage is to deny
> access to all *unsafe* ports. They are unsafe because HTTP can be
> smuggled within the ports native protocol to attack your proxy.
>
> Once the correct security protections for Safe_port and CONNECT tunnels
> have been moved up the top remove the "Safe_ports" check from this line.
>
> This line is also very odd in another way. ACL tests in a single line
> are AND'ed together - so this means the request must be from a user who is:
> authenticated AND a member of group pro1 AND pro2 AND pro3 AND pro4
> AND pro5 AND pro6 AND webvip
>
> This hints at what your main helper problem is. The above line requires
> 7 group helper lookups *per request*. The winbind helper has a maximum
> of 200 simultaneous connections. This line alone will limit your proxy
> just under 30 new visitors per second (that becomes 60 lookups/sec
> before queue overload).
> The helper result caching will help a lot, but you also have a LOT of
> other group checks being made and 800 users.
>
>
> > http_access allow youtube pro5
> > http_access allow youtube pro6
> > http_access allow youtube webvip
> > http_access deny youtube
> > http_access allow shopping pro5
> > http_access allow shopping pro6
> > http_access allow shopping webvip
> > http_access deny shopping
>
> Optimization hint:
> "youtube" and "shopping" have the same allow/deny criteria. It would be
> worth combining them into one ACL.
>
> > http_access allow social_networking pro2
> > http_access allow social_networking pro4
> > http_access allow social_networking pro6
> > http_access allow social_networking webvip
> > http_access deny social_networking
> > acl porn_site1 dstdomain "/etc/squid/blacklists/porn/domains.txt"
> > acl porn_site2 dstdom_regex -i "/etc/squid/blacklists/porn/expressions"
> > acl porn_site3 dstdom_regex -i "/etc/squid/blacklists/porn/urls.txt"
> > acl audio_video1 dstdomain "/etc/squid/blacklists/audio-video/urls.txt"
> > ###################### THERE ARE TOO MANY acls and http_access , so not
> > bothering with vast linux
>
> I will bet a lot of those ACLs are also calling the group helper too yes?
>
> > http_access allow liquorinfo webvip
> > http_access deny liquorinfo
> > http_access allow ad_auth
> > http_access allow auth
>
> Once you have removed ad_auth ACL, this becomes:
> http_access allow auth
> http_access allow auth
>
> I hope you can see how redundant that is.
>
> Also, its very likely that the "allow auth" is a useless operation after
> a great many group checks have also performed authentication. That "TOO
> MANY acls and https_access" list you omitted will be needed to determine
> that.
>
>
> > http_access allow sq1 sq2
> > acl NTLMUsers proxy_auth REQUIRED
>
> You already have an ACL named "auth" which performs authentication.
> The above line is not being used in any way. Remove it.
>
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
>
> These are basic security protection against Denial of Service and other
> types of protocol smuggling attacks. They only work when they are used
> *above* your custom "allow" rules.
>
> Move these two lines above your "http_access allow google" line.
>
>
>
> > http_port 8080
> > hierarchy_stoplist cgi-bin ?
>
> The above line is not useful these days. Remove it.
>
> > cache_effective_user squid
> > cache_dir aufs /var/spool/squid 20384 32 512
> > cache_mem 50 MB
> > cache_replacement_policy heap LFUDA
> > cache_swap_low 85
> > cache_swap_high 95
> > maximum_object_size 5 MB
> > maximum_object_size_in_memory 50 KB
> > ipcache_size 5240
> > ipcache_low 90
> > ipcache_high 95
> > cache_mgr amit
> > acl SSL_ports port 443
>
> The above is a duplicate config line. Remove it.
>
> > http_access allow CONNECT SSL_ports
> > coredump_dir /var/spool/squid
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > refresh_pattern . 0 20% 4320
> > url_rewrite_program /usr/local/bin/squidGuard -c
> > /usr/local/squidGuard/squidGuard.conf
> >
>
>
> Now, as to solving your problem:
>
> 1) Clean up your config. Reduce the amount of redundant or unused
> things. I've mentioned a few above.
>
> 2) Run "squid -k parse" and fix any other problems it highlights.
>
> 3) optimize your ACls and http_access rules. I've mentioned a few, such
> as moving the main security checks to the top so DoS traffic does not
> put load on the helpers and other ACLs.
>
> I believe though that you will probably find Squid works much better
> having the following access controls pattern:
> "
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # if they are not authenticated, they will not be in a group
> http_access deny !auth
>
> # assuming that webvip are the group with full access?
> http_access allow webvip
>
> # your long list of per-site group check ACLs go here
> ...
>
> # this is where defining the LAN ranges correctly comes in.
> # note that users have authenticated simply to get near here
> http_access allow localnet
> http_access deny all
> "
>
>
> 4) consider an upgrade to Squid 3.4+. The "notes" ACL type offers much
> more efficient ACL testing with a custom group lookup helper. The all-of
> and any-of ACL types can also much reduce your http_access lines.
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
Thank you Amos, I will check and will update the list.
--
Thanks & Regards
B Jagannath
Keen & Able Computers Pvt. Ltd.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/4e7744c9/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 8, Issue 52
******************************************
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users