[squid-users] Re: squid kerberos authenticators spamming AD and locking out users

I don't think this has to do with squid and Kerberos. This is a Windows
client only issue. Usually the user should be prompted by Windows to update
the password. If the user does not update the password the client won't get
a Kerberos ticket and will fallback to NTLM if that also doesn't work it
won't send anything to squid to authenticate.

Markus

"Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
news:51269973.5070302_at_treenet.co.nz...
> On 21/02/2013 7:20 p.m., Brett Lymn wrote:
>> Folks,
>>
>> I am running 4 proxy servers with squid 3.1.19 (yes, I know it is old,
>> will update soon) with kerberos authentication behind a F5 load balancer
>> for a user community of about 2000 people using Windows/I.E.. Normally,
>> this all works fine, people can surf the web and authentication happens
>> in background as it should.
>>
>> The issue we are seeing is around once per month at random one of the
>> kerberos authenticators seems to start spamming the life out of the
>> windows AD servers. The event we ID we are seeing on the windows
>> servers is 0xc000006a which translates to, basically, bad password. We
>> seem to get this when a user (not always the same one) changes their
>> password. Clearly, it does not happen every time, we have a password
>> expiry policy in AD so every is forced to change their password
>> regularly so we would be seeing the problem a lot more frequently if it
>> happened every time a user changed their password. It seems to me that
>> there is some sort of race condition going on where, perhaps, the
>> authenticators are doing something while the password is being changed,
>> the authenticators keep using the old details. When this happens the
>> authenticator seems to spin making requests at a very rapid rate, my
>> windows admins tell me there are milliseconds between requests and it
>> fills their logs, also the users account gets locked out due to too many
>> bad passwords.
>>
>> There is nothing in the logs indicating anything is wrong. Is this
>> fixed in a later version? If not, any ideeas on how to troubleshoot?
>
> Can you please try an upgrade to Squid-3.3?
> There were a lot of things in 3.1 which could lead to this happening.
>
> Amos
>
Received on Thu Feb 21 2013 - 23:23:57 MST