[squid-users] Re: Problem with SQUID_KERB_LDAP from Markus Moeller on 2010-02-04 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 4 Feb 2010 23:35:15 -0000

Can you run squid_kerb_ldap with strace -f -F to see when the permission
deny happens ? Just write a script squid_kerb_ldap_sh

#/bin/sh
strace -f -F -o /tmp/strace.out.$$ squid_kerb_ldap $*

and change your config file to use that script.

/tmp/strace.out.xxx should show where the permission deny happens.

Markus

"Ralf Fruehauf" <r.fruehwacht_at_googlemail.com> wrote in message
news:ff35590e1002040513w14aad3b2v3559e4682f6fa6a_at_mail.gmail.com...
> Hi squid users,
>
> i installed squid after this how-to guide:
>
> http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp/105857#105857
> (Getting Squid to authenticate with kerberos and Windows
> 2008/2003/7/XP)
>
> Domain/Server Info:
>
> Domain Name: homebase.local
> Squid Server: squid 192.168.100.55
> windows server 2008: srv-ads-001 192.168.100.130
>
> DNS Name Resolution is working in both directions.
>
>
> If i start the squid init script, squid tries to start, but i get the
> following error message
> in the cache.log :
>
> 2010/02/03 19:55:25| Starting Squid Cache version 3.0.STABLE18 for
> i686-pc-linux-gnu...
> 2010/02/03 19:55:25| Process ID 2470
> 2010/02/03 19:55:25| With 1024 file descriptors available
> 2010/02/03 19:55:25| DNS Socket created at 0.0.0.0, port 54300, FD 7
> 2010/02/03 19:55:25| Adding domain homebase.local from /etc/resolv.conf
> 2010/02/03 19:55:25| Adding domain homebase.local from /etc/resolv.conf
> 2010/02/03 19:55:25| Adding nameserver 192.168.100.130 from
> /etc/resolv.conf
> 2010/02/03 19:55:25| Adding nameserver 192.168.100.1 from /etc/resolv.conf
> 2010/02/03 19:55:25| Adding nameserver 192.168.100.254 from
> /etc/resolv.conf
> 2010/02/03 19:55:25| helperOpenServers: Starting 10/10
> 'squid_kerb_auth' processes
> 2010/02/03 19:55:25| helperOpenServers: Starting 5/5 'squid_kerb_ldap'
> processes
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap:
> (13) Permission denied
> 2010/02/03 19:55:26| Unlinkd pipe opened on FD 27
> 2010/02/03 19:55:26| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
> 2010/02/03 19:55:26| Target number of buckets: 425
> 2010/02/03 19:55:26| Using 8192 Store buckets
> 2010/02/03 19:55:26| Max Mem size: 8192 KB
> 2010/02/03 19:55:26| Max Swap size: 102400 KB
> 2010/02/03 19:55:26| Rebuilding storage in /var/cache/squid-3.0 (DIRTY)
> 2010/02/03 19:55:26| Using Least Load store dir selection
> 2010/02/03 19:55:26| chdir: /opt/squid-3.0/var/cache: (2) No such file
> or directory
> 2010/02/03 19:55:26| Current Directory is /
> 2010/02/03 19:55:26| Loaded Icons.
> 2010/02/03 19:55:26| Accepting HTTP connections at 0.0.0.0, port 3128, FD
> 28.
> 2010/02/03 19:55:26| Accepting ICP messages at 0.0.0.0, port 3130, FD 29.
> 2010/02/03 19:55:26| HTCP Disabled.
> 2010/02/03 19:55:26| Ready to serve requests.
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #1 (FD 19) exited
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #2 (FD 20) exited
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #3 (FD 21) exited
> 2010/02/03 19:55:26| WARNING: SQUID_KERB_LDAP #4 (FD 22) exited
> 2010/02/03 19:55:26| Too few SQUID_KERB_LDAP processes are running
> FATAL: The SQUID_KERB_LDAP helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.0.STABLE18): Terminated abnormally.
> CPU Usage: 0.404 seconds = 0.004 user + 0.400 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
> total space in arena: 2984 KB
> Ordinary blocks: 2970 KB 3 blks
> Small blocks: 0 KB 0 blks
> Holding blocks: 1508 KB 7 blks
> Free Small blocks: 0 KB
> Free Ordinary blocks: 13 KB
> Total in use: 4478 KB 150%
> Total free: 13 KB 0%
>
> ________________________________________________________________________________________________
>
> The user squid has however rights on this folder:
>
> squid:/opt/squid-3.0/sbin# la
> insgesamt 9,2M
> drwxr-xr-x 3 squid squid 1,0K 7. Jan 21:02 .
> drwxr-xr-x 8 squid squid 1,0K 20. Jan 21:02 ..
> -rwxr-xr-x 1 squid squid 9,2M 3. Nov 23:16 squid
> -rwxr-xr-x 1 squid squid 31K 7. Jan 21:02 squid_kerb_auth
> drwxrwxrwx 5 squid squid 1,0K 3. Nov 23:56 squid_kerb_ldap
> squid:/opt/squid-3.0/sbin#
> ________________________________________________________________________________________________
>
> Here is my squid.conf:
>
> auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth
> -d -s HTTP/squid.homebase.local
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600
> %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS
> acl AUTHENTICATED proxy_auth REQUIRED
> acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP
> acl localnet src 192.168.100.0/24 # RFC1918 possible internal
> network
>
> http_access allow LDAP_GROUP_CHECK
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
> http_access deny all
>
> icp_access allow localnet
> icp_access deny all
>
> htcp_access allow localnet
> htcp_access deny all
>
>
> http_port 3128
>
> cache_dir ufs /var/cache/squid-3.0 100 16 256
> access_log /var/log/squid-3.0/access.log squid
> cache_log /var/log/squid-3.0/cache.log
> cache_store_log /var/log/squid-3.0/store.log
>
> pid_filename /var/run/squid-3.0.pid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_effective_user squid
> cache_effective_group squid
>
> ________________________________________________________________________________________________
>
>
>
> After start the init script, i check the status immediately with htop,
> and for a short moment,
> htop show me the last 6 lines with:
>
> (squid_kerb_auth) -d -s HTTP/squid.homebase.local
>
> What do I have to make, to solve the problem?
>
> Thanks for any ideas.
>
> Bye,
>
> Rainer
>
Received on Thu Feb 04 2010 - 23:35:50 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 05 2010 - 12:00:04 MST