Re: [squid-users] squid kerberos authenticators spamming AD and locking out users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 22 Feb 2013 11:02:27 +1300

On 21/02/2013 7:20 p.m., Brett Lymn wrote:
> Folks,
>
> I am running 4 proxy servers with squid 3.1.19 (yes, I know it is old,
> will update soon) with kerberos authentication behind a F5 load balancer
> for a user community of about 2000 people using Windows/I.E.. Normally,
> this all works fine, people can surf the web and authentication happens
> in background as it should.
>
> The issue we are seeing is around once per month at random one of the
> kerberos authenticators seems to start spamming the life out of the
> windows AD servers. The event we ID we are seeing on the windows
> servers is 0xc000006a which translates to, basically, bad password. We
> seem to get this when a user (not always the same one) changes their
> password. Clearly, it does not happen every time, we have a password
> expiry policy in AD so every is forced to change their password
> regularly so we would be seeing the problem a lot more frequently if it
> happened every time a user changed their password. It seems to me that
> there is some sort of race condition going on where, perhaps, the
> authenticators are doing something while the password is being changed,
> the authenticators keep using the old details. When this happens the
> authenticator seems to spin making requests at a very rapid rate, my
> windows admins tell me there are milliseconds between requests and it
> fills their logs, also the users account gets locked out due to too many
> bad passwords.
>
> There is nothing in the logs indicating anything is wrong. Is this
> fixed in a later version? If not, any ideeas on how to troubleshoot?

Can you please try an upgrade to Squid-3.3?
There were a lot of things in 3.1 which could lead to this happening.

Amos
Received on Thu Feb 21 2013 - 22:02:33 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 22 2013 - 12:00:04 MST