Hi masters !
I am having some problems using my Squid authenticating
against my Active Directory Server.
I have this environment working for about 6 months, and it was
fine, but since last month its behavior became very strange. The point
is when the clients request a page, some time it works fine, but some
times they get an error like: "The page cannot be displayed".
I have checked many things, starting with the DNS sctructure,
and I didn`t find any problem. I've checked the response time between
my workstation machine and the Squid Server, and between the Squid
Server and the AD server, and is everything fine, acctualy they are
all in the same LAN.
I tryed many different configurations of samba and squid to
solve that, but it is still happen. I changed my smb.conf and the
squid.conf and now it is like that:
smb.conf
[global]
workgroup = domain
password server = IP
encrypt passwords = yes
realm = DOMAIN
server string = Samba 3.0.7
security = ADS
username map = /etc/samba/smbusers
log level = 2
syslog = 0
log file = /var/log/samba/%m
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
ldap ssl = no
idmap uid = 10000-100000
idmap gid = 10000-100000
winbind gid = 10000-100000
winbind cache time = 240
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template primary group = "Domain Users"
template homedir = /dev/null
template shell = /dev/null
winbind separator = +
basic squid.conf
http_port 8081
buffered_logs on
dead_peer_timeout 90 seconds
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 16384 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir aufs /cache01 10000 16 256
cache_dir aufs /cache02 10000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
dns_children 15
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 90
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 24 hours
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
authenticate_ttl 3 hourconnect_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 5 minute
half_closed_clients off
acl user_AD proxy_auth REQUIRED
http_access allow user_AD all
http_access deny all
http_reply_access allow all
icp_port 0
log_icp_queries off
icp_access deny all
miss_access allow all
cache_mgr root
cache_effective_user squid
cache_effective_group squid
forwarded_for off
coredump_dir /var/spool/squid
I am using Samba 3.0.7 with winbind, and it is ok. My krb5.conf
is like that:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = XXXXXXX.COM.BR
dns_lookup_realm = no
dns_lookup_kdc = no
forwardable = true
proxiable = true
kdc_timeout = 5
[realms]
XXXXXXX.COM.BR = {
kdc = IP:88
admin_server = IP:749
default_domain = xxxxxx.com.br
}
[domain_realm]
.xxxxxx.com.br = XXXXXX.COM.BR
xxxxxx.com.br = XXXXXX.COM.BR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The softwares versions are:
Squid: Version 2.5.STABLE7
Winbindd: Version 3.0.7
krb5 - 1.2.7-24
and Red Hat Enterprise Server
I've tryed different log levels, and I dind`t get any
error, even in winbindd.log, or cache.log, or access.log, acctually,
when the error happen it doesn`t log.
I did upgrade the Squid, and I've tryed to upgrade the
winbind, but the new winbind doesn`t work fine, I don`t know why. Does
anybody had compiled the news version of Samba with Squid ? The error
that I got was: "failed tcon_X with NT_STATUS_ACCESS_DENIED".
I don`t really think that the samba 3.0.7 could be the problem.
Other important information is when I stop the
authentication, the problem stop. Other important information is that
the problem just happen during the bussiness day, we have around 3000
users accessing the internet. Btw, the cpu and memory of the server
are ok. I tryed also disabling the cache, but without success.
Other very interesting thing is that I have a backup proxy
server, and in that server the problem doesn`t happened, so, I
switched the clients to the backup server while I was working in the
main server, so, I tryed an upgrade of Kernel and others
configurations, but nothing changed. My last choice was to rebuild the
whole machine and I am doing it now, and the clients are accessing the
backup server since two weeks ago without any problem, but today the
problem also started in the backup server. Are we in the halloween
time ?
Pleaasseeeee. Any ideia ?
Thanks in advance. I will really apreciate any help.
Rodrigo.
Received on Mon Jan 10 2005 - 12:12:18 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST