RES: [squid-users] squid cache problem from Luciano Sousa on 2009-04-16 (squid-users)

From: Luciano Sousa <lucianosousa.ti_at_gmail.com>
Date: Thu, 16 Apr 2009 13:11:18 -0300

Chris,
the squid denies access yes, see below:

I shut down the computer normally yesterday evening ...
this morning when I called the computer performed the following procedures
in a .sh file:

RunCache &
RunAccel &
squid

my acces.log
2009/04/16 08:52:51| Squid Cache (Version 3.0.STABLE13): Exiting normally.
2009/04/16 08:53:01| Starting Squid Cache version 3.0.STABLE13 for
i686-pc-linux-gnu...
2009/04/16 08:53:01| Process ID 2854
2009/04/16 08:53:01| With 1024 file descriptors available
2009/04/16 08:53:01| Performing DNS Tests...
2009/04/16 08:53:01| Successful DNS name lookup tests...
2009/04/16 08:53:01| DNS Socket created at 0.0.0.0, port 42522, FD 6
2009/04/16 08:53:01| Adding domain cashinfo from /etc/resolv.conf
2009/04/16 08:53:01| Adding nameserver 192.168.1.254 from /etc/resolv.conf
2009/04/16 08:53:01| helperStatefulOpenServers: Starting 5 'ntlm_auth'
processes
2009/04/16 08:53:01| helperOpenServers: Starting 5 'wbinfo_group.pl'
processes
[2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
2009/04/16 08:53:02| Unlinkd pipe opened on FD 22
2009/04/16 08:53:02| Swap maxSize 1536000 KB, estimated 118153 objects
2009/04/16 08:53:02| Target number of buckets: 5907
2009/04/16 08:53:02| Using 8192 Store buckets
2009/04/16 08:53:02| Max Mem size: 512000 KB
2009/04/16 08:53:02| Max Swap size: 1536000 KB
2009/04/16 08:53:02| Version 1 of swap file with LFS support detected...
2009/04/16 08:53:02| Rebuilding storage in /usr/local/squid/cache (CLEAN)
2009/04/16 08:53:02| Using Least Load store dir selection
2009/04/16 08:53:02| Current Directory is /
2009/04/16 08:53:02| Loaded Icons.
2009/04/16 08:53:02| Accepting HTTP connections at 0.0.0.0, port 3128, FD
24.
2009/04/16 08:53:02| Accepting ICP messages at 0.0.0.0, port 3128, FD 25.
2009/04/16 08:53:02| HTCP Disabled.
2009/04/16 08:53:02| Ready to serve requests.
2009/04/16 08:53:02| Done reading /usr/local/squid/cache swaplog (2385
entries)
2009/04/16 08:53:02| Finished rebuilding storage from disk.
2009/04/16 08:53:02| 2385 Entries scanned
2009/04/16 08:53:02| 0 Invalid entries.
2009/04/16 08:53:02| 0 With invalid flags.
2009/04/16 08:53:02| 2385 Objects loaded.
2009/04/16 08:53:02| 0 Objects expired.
2009/04/16 08:53:02| 0 Objects cancelled.
2009/04/16 08:53:02| 0 Duplicate URLs purged.
2009/04/16 08:53:02| 0 Swapfile clashes avoided.
2009/04/16 08:53:02| Took 0.59 seconds (4044.94 objects/sec).
2009/04/16 08:53:02| Beginning Validation Procedure
2009/04/16 08:53:02| Completed Validation Procedure
2009/04/16 08:53:02| Validated 4795 Entries
2009/04/16 08:53:02| store_swap_size = 22976
2009/04/16 08:53:03| storeLateRelease: released 0 objects
[2009/04/16 08:53:05, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:05, 0] utils/ntlm_auth.c:get_winbind_netbios_name(172)
  could not obtain winbind netbios name!
[2009/04/16 08:53:28, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:28, 0] utils/ntlm_auth.c:get_winbind_netbios_name(172)
  could not obtain winbind netbios name!
[2009/04/16 08:53:30, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:53:30, 0] utils/ntlm_auth.c:get_winbind_netbios_name(172)
  could not obtain winbind netbios name!
[2009/04/16 08:53:47, 0] utils/ntlm_auth.c:winbind_pw_check(515)
  Login for user [CASHINFO]\[luciano.rangel]@[INFO-LUCIANO] failed due to
[winbind client not authorized to use winbindd_pam_auth_crap.
Ensure permissions on /usr/local/samba/var/locks/winbindd_privileged
are set correctly.]
[2009/04/16 08:53:47, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2009/04/16 08:53:47| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2009/04/16 08:54:02, 0] utils/ntlm_auth.c:winbind_pw_check(515)
  Login for user [CASHINFO]\[luciano.rangel]@[INFO-LUCIANO] failed due to
[winbind client not authorized to use winbindd_pam_auth_crap.
Ensure permissions on /usr/local/samba/var/locks/winbindd_privileged
are set correctly.]
[2009/04/16 08:54:02, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2009/04/16 08:54:02| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2009/04/16 08:54:04, 0] utils/ntlm_auth.c:winbind_pw_check(515)
  Login for user [CASHINFO]\[luciano.rangel]@[INFO-LUCIANO] failed due to
[winbind client not authorized to use winbindd_pam_auth_crap.
Ensure permissions on /usr/local/samba/var/locks/winbindd_privileged
are set correctly.]
[2009/04/16 08:54:04, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2009/04/16 08:54:04| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2009/04/16 08:54:05, 0] utils/ntlm_auth.c:winbind_pw_check(515)
  Login for user [CASHINFO]\[luciano.rangel]@[INFO-LUCIANO] failed due to
[winbind client not authorized to use winbindd_pam_auth_crap.
Ensure permissions on /usr/local/samba/var/locks/winbindd_privileged
are set correctly.]
[2009/04/16 08:54:05, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2009/04/16 08:54:05| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

in this moment the acces to sites is blocked.

i did the following procedures:
# kinit administrador_at_domain.local
# net ads join -U administrador -S domain.local # smbd #winbindd

and, this acces to sites continues blocked with the error in access.log:

2009/04/16 08:51:19| helperStatefulOpenServers: Starting 5 'ntlm_auth'
processes
2009/04/16 08:51:19| helperOpenServers: Starting 5 'wbinfo_group.pl'
processes
[2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!
[2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
  could not obtain winbind domain name!

finally, i did the following procedures:

# rm -rf /usr/local/squid/cache/*
# squid -k kill
# squid -z
# chmod 777 /usr/local/squid/cache/*
# squid
# RunCache
# RunAccel

and in the access.log:

2009/04/16 08:54:53| Starting Squid Cache version 3.0.STABLE13 for
i686-pc-linux-gnu...
2009/04/16 08:54:53| Process ID 2891
2009/04/16 08:54:53| With 1024 file descriptors available
2009/04/16 08:54:53| Performing DNS Tests...
2009/04/16 08:54:53| Successful DNS name lookup tests...
2009/04/16 08:54:53| DNS Socket created at 0.0.0.0, port 55366, FD 6
2009/04/16 08:54:53| Adding domain cashinfo from /etc/resolv.conf
2009/04/16 08:54:53| Adding nameserver 192.168.1.254 from /etc/resolv.conf
2009/04/16 08:54:53| helperStatefulOpenServers: Starting 5 'ntlm_auth'
processes
2009/04/16 08:54:53| helperOpenServers: Starting 5 'wbinfo_group.pl'
processes
2009/04/16 08:54:53| Unlinkd pipe opened on FD 22
2009/04/16 08:54:53| Swap maxSize 1536000 KB, estimated 118153 objects
2009/04/16 08:54:53| Target number of buckets: 5907
2009/04/16 08:54:53| Using 8192 Store buckets
2009/04/16 08:54:53| Max Mem size: 512000 KB
2009/04/16 08:54:53| Max Swap size: 1536000 KB
2009/04/16 08:54:53| Rebuilding storage in /usr/local/squid/cache (DIRTY)
2009/04/16 08:54:53| Using Least Load store dir selection
2009/04/16 08:54:53| Current Directory is /
2009/04/16 08:54:53| Loaded Icons.
2009/04/16 08:54:53| Accepting HTTP connections at 0.0.0.0, port 3128, FD
23.
2009/04/16 08:54:53| Accepting ICP messages at 0.0.0.0, port 3128, FD 24.
2009/04/16 08:54:53| HTCP Disabled.
2009/04/16 08:54:53| Ready to serve requests.
2009/04/16 08:54:54| Done scanning /usr/local/squid/cache swaplog (0
entries)
2009/04/16 08:54:54| Finished rebuilding storage from disk.
2009/04/16 08:54:54| 0 Entries scanned
2009/04/16 08:54:54| 0 Invalid entries.
2009/04/16 08:54:54| 0 With invalid flags.
2009/04/16 08:54:54| 0 Objects loaded.
2009/04/16 08:54:54| 0 Objects expired.
2009/04/16 08:54:54| 0 Objects cancelled.
2009/04/16 08:54:54| 0 Duplicate URLs purged.
2009/04/16 08:54:54| 0 Swapfile clashes avoided.
2009/04/16 08:54:54| Took 1.10 seconds ( 0.00 objects/sec).
2009/04/16 08:54:54| Beginning Validation Procedure
2009/04/16 08:54:54| Completed Validation Procedure
2009/04/16 08:54:54| Validated 25 Entries
2009/04/16 08:54:54| store_swap_size = 0
2009/04/16 08:54:54| storeLateRelease: released 0 objects
2009/04/16 08:54:58| Squid is already running! Process ID 2891
2009/04/16 08:55:01| Squid is already running! Process ID 2891
2009/04/16 08:55:06| Squid is already running! Process ID 2891
2009/04/16 09:55:20| WARNING: All ntlmauthenticator processes are busy.
2009/04/16 09:55:20| WARNING: 5 pending requests queued
2009/04/16 09:55:20| Consider increasing the number of ntlmauthenticator
processes in your config file.
2009/04/16 10:38:36.253| connReadWasError: FD 27: got flag -1
2009/04/16 10:39:44.805| connReadWasError: FD 35: got flag -1
2009/04/16 10:47:59.235| connReadWasError: FD 50: got flag -1
2009/04/16 10:54:59.238| connReadWasError: FD 25: got flag -1
2009/04/16 10:55:02.321| connReadWasError: FD 33: got flag -1
2009/04/16 11:10:59.048| connReadWasError: FD 30: got flag -1
2009/04/16 11:11:07.158| connReadWasError: FD 52: got flag -1
2009/04/16 11:11:20.714| connReadWasError: FD 53: got flag -1
2009/04/16 11:44:55.833| connReadWasError: FD 25: got flag -1
2009/04/16 11:44:55.841| connReadWasError: FD 34: got flag -1
2009/04/16 11:44:55.842| connReadWasError: FD 30: got flag -1
2009/04/16 11:45:11.604| connReadWasError: FD 33: got flag -1
2009/04/16 11:45:11.616| connReadWasError: FD 35: got flag -1
2009/04/16 11:45:11.629| connReadWasError: FD 34: got flag -1
2009/04/16 11:45:15.782| connReadWasError: FD 38: got flag -1
2009/04/16 11:45:15.783| connReadWasError: FD 39: got flag -1
2009/04/16 11:45:15.792| connReadWasError: FD 40: got flag -1
2009/04/16 12:37:08.458| connReadWasError: FD 30: got flag -1

what i do;

remove the .sh to boot;
create a new .sh for starter the squid, because if the computer is
disconnected in a way inappropriate, when it is switched on the squid will
run normally ...
how should I proceed?

-----Mensagem original-----
De: Chris Robertson [mailto:crobertson_at_gci.net]
Enviada em: quarta-feira, 15 de abril de 2009 15:16
Para: squid-users_at_squid-cache.org
Assunto: Re: [squid-users] squid cache problem

Luciano Sousa wrote:
> hello.
>
> i'm having a problem with idiot.
> at least once every two days I have to clear the cache of my squid,
> because it begins to deny all access, probably because it is full ...
>

Your cache.log (/usr/local/squid/logs/cache.log) might give more
information on what's going on.

> my squid.conf
>
> http_port 3128
> icp_port 3128
> hierarchy_stoplist cgi-bin ?
> cache_mem 500 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 4096 KB
> ipcache_size 1024
> ipcache_low 90
> ipcache_high 95
> cache_dir ufs /usr/local/squid/cache 1500 32 256
> cache_access_log /usr/local/squid/logs/access.log
> pid_filename /usr/local/squid/logs/squid.pid
> acl manager proto cache_object
> cache_log /usr/local/squid/logs/cache.log
> cache_store_log /usr/local/squid/logs/store.log
>
> logformat logluciano IP do cliente: %>a - Username: %un - Horario:
> [%tl] - Metodo: %rm - URL: %ru - Status HTTP: %Hs - Status Squid: %Ss
> - Porta: %>p
> cache_access_log /usr/local/squid/logs/logteste.log logluciano
>
> auth_param ntlm program /usr/bin/ntlm_auth domain/pdc
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param basic children 5
> auth_param basic realm Digite o LOGIN/SENHA
> auth_param basic credentialsttl 1 minute
> auth_param basic casesensitive off
>
> external_acl_type nt_group %LOGIN /usr/local/squid/etc/wbinfo_group.pl
> acl AllowedWindowsGroups external nt_group testnet
> http_access allow AllowedWindowsGroups
>
> acl localhost src 127.0.0.1/255.255.255.255
> acl redelocal src 192.168.1.0/24
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 6959 #mirc
> acl Safe_ports port 900 #mirc
> acl Safe_ports port 23 #smtp
> acl Safe_ports port 143 #imap
>
> acl CONNECT method CONNECT
> acl acesso proxy_auth REQUIRED
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow acesso
> http_access allow redelocal
>

For what it's worth, you are allowing unauthenticated requests from your
local network. Authentication is requested, the client is allowed if
authentication is provided (but not denied if it's not). The next step
checks the client's source IP and allows based on that (with an implicit
deny following). Perhaps that's to plan, but I thought it might be
worth a mention.

> icp_access allow all
> debug_options ALL,1 33,2
>
>
> thank's.
>

Chris
Received on Thu Apr 16 2009 - 16:11:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 17 2009 - 12:00:02 MDT