Re: Negotiate Authenticator and DNS

"Eliezer Croitoru" <eliezer@xxxxxxxxxxxx> · Tue, 26 Sep 2017 07:59:00 +0300

Hey,

How about using a local bind\unbound DNS server that has a forwarding zone defined only for the local domains?
For me it's a bit hard to understand the root cause for the issue but this is the best solution I can think about.
If you need some help about with bind\unbound DNS configurations just send me an email and I will try to help you with that.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx

-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of erdosain9
Sent: Friday, September 22, 2017 17:37
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject:  Negotiate Authenticator and DNS

Hi.
Im traying to improve the dns response because im having this times:

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 32 (0 shutting down)
requests sent: 72241
replies received: 72241
queue length: 0
avg service time: 56 msec

   ID #	     FD	    PID	 # Requests	  # Replies	 Flags	   Time	 Offset
Request
     16	     30	  22242	      38896	      38896	     	  0.368	      0	(none)
     17	     32	  22243	      13404	      13404	     	  0.388	      0	(none)
     18	     38	  22244	       6962	       6962	     	  0.126	      0	(none)
     19	     61	  22245	       3895	       3895	     	  0.344	      0	(none)
     20	     65	  22246	       2636	       2636	     	  0.369	      0	(none)
     21	     74	  22247	       1879	       1879	     	  0.124	      0	(none)
     22	     76	  22248	       1177	       1177	     	  0.340	      0	(none)
     23	     78	  22249	        809	        809	     	  0.307	      0	(none)
     24	     79	  22250	        592	        592	     	  0.364	      0	(none)
     25	     81	  22251	        436	        436	     	  0.265	      0	(none)
     26	     94	  22252	        320	        320	     	  0.244	      0	(none)
     27	     96	  22253	        243	        243	     	  0.243	      0	(none)
     28	     98	  22254	        184	        184	     	  0.299	      0	(none)
     29	    109	  22255	        142	        142	     	  0.285	      0	(none)
     30	    111	  22256	        112	        112	     	  0.308	      0	(none)
     31	    113	  22257	         85	         85	     	  0.308	      0	(none)
     45	    473	  22285	         69	         69	     	  0.789	      0	(none)
     46	    475	  22286	         60	         60	     	  0.756	      0	(none)
     47	    480	  22287	         52	         52	     	  1.504	      0	(none)
     48	    495	  22288	         48	         48	     	  1.611	      0	(none)
     49	    499	  22289	         44	         44	     	  1.611	      0	(none)
     50	    580	  22291	         36	         36	     	  1.598	      0	(none)
     51	    596	  22292	         31	         31	     	  1.099	      0	(none)
     52	    593	  22293	         26	         26	     	  0.916	      0	(none)
     53	    547	  22308	         20	         20	     	  0.916	      0	(none)
     54	    550	  22309	         18	         18	     	  0.602	      0	(none)
     55	    551	  22310	         14	         14	     	  0.397	      0	(none)
     56	    553	  22311	         12	         12	     	  0.567	      0	(none)
     57	    552	  22312	         12	         12	     	  0.567	      0	(none)
     58	    397	  22313	         11	         11	     	  0.567	      0	(none)
     59	    407	  22314	         10	         10	     	  0.584	      0	(none)
     67	    436	  22355	          6	          6	     	  1.035	      0	(none)

Sometimes much more time, sometimes go to avg service time: 560 msec...

Sorry for my ignorance...
This Negotiate Authenticator is for users??? i mean this is related to, for
example, go to google.com, or is just the time that the user (client pc)
wait for be authenticate??

I think, that is related to go to a web (now i have my doubts). so i make a
dns with bind. and put that dns in squid config, and let the dns from the AD
in second place... but, when i restart this happend:

support_resolv.cc(289): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving service record _ldap._tcp.DOMAIN.LAN with r
es_search
support_resolv.cc(71): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldap._tcp.DOMAIN.LAN
support_resolv.cc(183): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving hostname with getaddrinfo: Name or service 
not known
support_sasl.cc(276): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact 
LDAP server

So, this post is for two question. 
1- The thing about Negotiate Authenticator (that value what represent?)
2- Can i improve making my own dns (apart from the the dns from the domain)?
(i prefer make other dns, than fix the dns from the domain, because i dont
manage that).

Thanks to all, and sorry for the ignorance, and my bad writing (i dont speak
english)

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users