Re: RES: [squid-users] squid cache problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Apr 2009 14:54:29 +1200

Chris Robertson wrote:
> Luciano Sousa wrote:
>> Chris,
>> the squid denies access yes, see below:
>>
>> I shut down the computer normally yesterday evening ...
>> this morning when I called the computer performed the following
>> procedures
>> in a .sh file:
>>
>> RunCache &
>> RunAccel &
>> squid
>>
>
> You are effectively starting Squid THREE TIMES here. Further, RunCache
> seems to be deprecated (and RunAccel for that matter) and will no longer
> be bundled starting with Squid3.1. I'd advise against using them
>
>> my acces.log
>> 2009/04/16 08:52:51| Squid Cache (Version 3.0.STABLE13): Exiting
>> normally.
>> 2009/04/16 08:53:01| Starting Squid Cache version 3.0.STABLE13 for
>> i686-pc-linux-gnu...
>> 2009/04/16 08:53:01| Process ID 2854
>> 2009/04/16 08:53:01| With 1024 file descriptors available
>> 2009/04/16 08:53:01| Performing DNS Tests...
>> 2009/04/16 08:53:01| Successful DNS name lookup tests...
>> 2009/04/16 08:53:01| DNS Socket created at 0.0.0.0, port 42522, FD 6
>> 2009/04/16 08:53:01| Adding domain cashinfo from /etc/resolv.conf
>> 2009/04/16 08:53:01| Adding nameserver 192.168.1.254 from
>> /etc/resolv.conf
>> 2009/04/16 08:53:01| helperStatefulOpenServers: Starting 5 'ntlm_auth'
>> processes
>> 2009/04/16 08:53:01| helperOpenServers: Starting 5 'wbinfo_group.pl'
>> processes
>> [2009/04/16 08:53:02, 0] utils/ntlm_auth.c:get_winbind_domain(146)
>> could not obtain winbind domain name!
>
> SNIP
>
>> 2009/04/16 08:54:05| authenticateNTLMHandleReply: Error validating
>> user via
>> NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
>>
>> in this moment the acces to sites is blocked.
>>
>
> Right. Authentication is not working.
>
>> i did the following procedures:
>> # kinit administrador_at_domain.local
>> # net ads join -U administrador -S domain.local # smbd #winbindd
>>
>
> Was there any indication of success...?
>
>> and, this acces to sites continues blocked with the error in access.log:
>>
>> 2009/04/16 08:51:19| helperStatefulOpenServers: Starting 5 'ntlm_auth'
>> processes
>> 2009/04/16 08:51:19| helperOpenServers: Starting 5 'wbinfo_group.pl'
>> processes
>> [2009/04/16 08:51:19, 0] utils/ntlm_auth.c:get_winbind_domain(146)
>> could not obtain winbind domain name!
>
> Because it didn't seem to work.
>
>>
>> finally, i did the following procedures:
>>
>> # rm -rf /usr/local/squid/cache/*
>>
>
> This should really only be performed if Squid is not running. An then
> only if something is really messed up with your cache.
>
>> # squid -k kill
>> # squid -z
>> # chmod 777 /usr/local/squid/cache/*
>>
>
> This is not needed (and insecure) as if Squid has permission to create
> the directory structure under /usr/local/squid.cache it will do so with
> all the permissions it needs.

Indeed, drop them and the rm above completely. Should only be done
manually at times of great need.

>
>> # squid
>> # RunCache
>> # RunAccel
>>
>
> At the top of this message, you ran the last three commands in the
> opposite order. Perhaps that's a clue...
>

It is and a major one....

RunCache + RunAccel perform tests to see if squid is already running and
not start it twice.

Doing even this order:
  RunCache
  squid

means:
  RunCache - will start squid (non already running) with successful log
info goes to a cache.log

squid - will unconditionally try to start a second squid ... and
overwrite the cache.log from RunCache with new failed startup info, or
at best-case will append start up failures at the end..

<snip>
>> how should I proceed?
>
> Find a recent Squid init script for your your distribution, or baring
> that just start squid (and ONLY squid, not RunCache or RunAccel) from
> /etc/rc.local. See if that runs better. Clearing the cache as a means
> of fixing broken authentication is... Uh... Probably not the correct
> path to follow.
>
> Chris

what Chris said :)

PS: RunCache is deprecated, because its capability is now built into
squid, both 2.6+ and 3.0+.

I'm not actually at this point planning to remove it from 3.1, but its
on the books for one of the future releases unless someone has a good
use-case for keeping it.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Fri Apr 17 2009 - 02:54:33 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 17 2009 - 12:00:02 MDT