|
Hi, everybody!
I have my Squid 3.4.8 running in Debian Jessie. It has been working with Active Directory authentication for more than a year without any kind of problem. But since a couple of weeks ago, suddenly, it stopped authenticate users, asking for credentials (username and pass) and they are not able to browse. I am getting this messages in /var/log/cache.log:
2017/03/04 12:04:25.806 kid1| WARNING: external ACL 'Grupos_AD' queue overload. Request rejected 'user1 it_group'.
After some research I found this thread http://www.squid-cache.org/mail-archive/squid-users/200902/0386.html and followed the suggestions posted by Amos. But nothing happened. I tried rejoining the server to domain. Everything was fine in that way: wbinfo -u,
wbinfo -g and wbinfo -P correctly returns all the users, groups and information of the domain.
After restart Squid service, I noticed that neither helper ext_wbinfo_group_acl nor pinger are started:
12:04:01 [root@server ]# systemctl status squid3.service -l
1418 pts/0 S+ 0:00 \_ grep ext_wbinfo_group_acl If I run echo "mydomain\user1 it_group" | /usr/lib/squid3/ext_wbinfo_group_acl -d, it returns Debugging mode ON. Got mydomain\user1 it_group from squid User: -mydomain\user1- Group: -it_group- SID: -S-1-5-21-2290000000-711000000-3300000000-3949- GID: -10006- Sending OK to squid OK What it's a good, because that user belongs to that group. If I change the group name, it returns an ERR. Here is my squid.conf: #=========================================================================== http_port 3128 visible_hostname proxy.squid cache_mgr server@xxxxxxxxx cache_effective_user proxy error_directory /usr/share/squid3/errors/es err_page_stylesheet /etc/squid3/estilo.css #################################################### #******************************Ports*************************************# #################################################### #acl manager proto cache_object #acl all src 0.0.0.0/0.0.0.0 #acl localhost src 127.0.0.1/32 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 #prot gopher acl Safe_ports port 210 #whais acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 8080 acl Safe_ports port 2481 acl Safe_ports port 20010 acl Safe_ports port 777 #multi http #acl purge method PURGE acl CONNECT method CONNECT acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on ############################################################## #*******************Active Directory HELPERS**************************# ############################################################## auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN auth_param ntlm children 100 auth_param ntlm keep_alive off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 100 auth_param basic realm Servidor proxy-cache auth_param basic credentialsttl 2 hours ####################################################################### #****************************ACL******************************************# ########################################################################### #---------------------------ACL Active Directory------------------------# external_acl_type Grupos_AD ttl=10 negative_ttl=10 children=100 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d acl it_group external Grupos_AD it_group ------------------Acceso sólo a usuarios autenticados--------------------# acl auth proxy_auth REQUIRED http_access deny !auth #-----------------------------Grupo *it_group*----------------------------# http_access allow it_group allow http_access allow manager localhost http_access deny manager #http_access allow purge localhost #http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_PORTS http_access deny all dead_peer_timeout 20 seconds strip_query_terms on debug_options ALL,1 33,2 28,9 coredump_dir /var/spool/squid3 ftp_passive on ftp_sanitycheck off ftp_telnet_protocol off read_ahead_gap 1 MB positive_dns_ttl 6 hours forward_max_tries 25 ############################################################################ #*************************Log********************************# ############################################################################ logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt cache_access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log logfile_rotate 0 ############################################################################ #******************Cache and memory***************************# ############################################################################ cache_mem 1024 MB maximum_object_size_in_memory 1024 KB memory_cache_mode always cache_dir aufs /var/spool/squid3 15000 16 256 maximum_object_size 96 MB minimum_object_size 10 KB #cache_replacement_policy heap LFUDA cache_replacement_policy heap GDSF memory_replacement_policy heap GDSF #memory_replacement_policy lru cache_store_log none #log_fqdn off log_icp_queries off buffered_logs off #emulate_httpd_log off redirect_rewrites_host_header off cache_swap_low 80 cache_swap_high 95 #=========================================================================== It is really weird, I really don't know how to solve this. I hope my explanation was clear. For testing purposes, I have another Squid working with the same AD server, and it is going fine: the helper and pinger are executed as you can see here: root@debian-test-server:/etc/squid3# systemctl status squid3.service ● squid3.service - LSB: Squid HTTP Proxy version 3.x Loaded: loaded (/etc/init.d/squid3) Active: active (running) since lun 2017-02-13 07:35:01 ART; 2 weeks 5 days ago Process: 570 ExecStart=/etc/init.d/squid3 start (code=exited, status=0/SUCCESS) CGroup: /system.slice/squid3.service ├─ 1017 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf ├─ 1020 (squid-1) -YC -f /etc/squid3/squid.conf ├─ 1945 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d ├─ 1968 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1969 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1970 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1971 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1972 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1973 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1974 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─ 1993 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d ├─ 2029 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d ├─63477 (pinger) ├─63478 (ntlm_auth) --helper-protocol=squid-2.5-ntlmssp --DOMAIN=MYDOMAIN ├─63479 (ntlm_auth) --helper-protocol=squid-2.5-basic └─63480 /usr/bin/perl -w /usr/lib/squid3/ext_wbinfo_group_acl -d I will appreciate your help! Thanks! |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
