Re: [squid-users] Squid Cache Problem

[Matus UHLAR - fantomas]

On 25.07.19 00:41, Devilindisguise wrote:

We have what is probably an easy one. Some Windows servers use a locally
installed Squid proxy instance for all outbound traffic. These servers also
make use of some F5 GTM (DNS) servers to provide a resilient inter-DC DNS
topology.

Essentially what should happen is under steady state conditions any DNS
request should be given IP address a.a.a.a, then under failure be given
b.b.b.b. The GTM DNS TTL is 30 seconds.

What we’re finding is that even after 5 mins of failure any HTTP request
from IE (configured with the Squid proxy) still targets a.a.a.a and traffic
is dropped. During this period if we remove the Squid proxy from the IE
settings, it works as now we target b.b.b.b.

So clearly some sort of caching, possibly DNS, is being done on the Squid.


One of main points of DNS design is to be cacheable.
That is why DNS is not suited for load balancing and failover switching.

however, you should be able to look at content of DNS cache in squid using
cachemgr.cgi to see what's wrong there.

also, you can sniff the DNS traffic to see if only proper responses are
going to squid.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Cache Problem

[Devilindisguise]

Hello all

Let me preface this by stating I am far from being a Squid expert so please
bear with me.

We have what is probably an easy one. Some Windows servers use a locally
installed Squid proxy instance for all outbound traffic. These servers also
make use of some F5 GTM (DNS) servers to provide a resilient inter-DC DNS
topology.

Essentially what should happen is under steady state conditions any DNS
request should be given IP address a.a.a.a, then under failure be given
b.b.b.b. The GTM DNS TTL is 30 seconds.

What we’re finding is that even after 5 mins of failure any HTTP request
from IE (configured with the Squid proxy) still targets a.a.a.a and traffic
is dropped. During this period if we remove the Squid proxy from the IE
settings, it works as now we target b.b.b.b. 

So clearly some sort of caching, possibly DNS, is being done on the Squid. 

Where is a good place to start on Squid to troubleshoot this,

Thank you 



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4 fails to authenticate using NTLM

[zby]

Good morning (CEST).

Solved for NTLM.

I added the squid user to the group winbindd_priv as described in "man ntml_
auth". Well, I just overlooked it.

Thanks all for reading/thinking/help.

Zbynek










-- Původní e-mail --
Od: z...@post.cz
Komu: Amos Jeffries 
Datum: 23. 7. 2019 18:24:13
Předmět: Re: [squid-users] squid 4 fails to authenticate using NTLM
"
I found one more thing in the cache.log:

Got user=[user1] domain=[DOM1] workstation=[machine1] len1=24 len2=334
Login for user [DOM1\[user1]@[machine1 failed due to [Reading winbind reply
failed!]
ntlmssp_server_auth_send: Checking NTLMSSP password for DOM1\user1 failed:
NT_STATUS_UNSUCCESSFUL
gensec_update_done: ntlmssp[0x55713e452900]: NT_STATUS_UNSUCCESSFUL
GENSEC login failed: NT_STATUS_UNSUCCESSFUL




Why failed?

/var/lib/samba:


drwxr-x---  2 root winbindd_priv   4096 Jul 23 18:09 winbindd_privileged

/var/run/samba:

drwxr-xr-x 2 root root 60 Jul 23 18:09 winbindd




If I chmod to anything else than expected winbindd fails to start
complaining about an unexpected dir mode.

The dir modes remain the same as "defined" in the debian package.

ntlm_auth --username=user1 run as a regular user results in: "NT_STATUS_OK:
The operation completed successfully. (0x0)"

It should fail if not allowed to read from winbind, I suppose.




Thanks.

Zb









-- Původní e-mail --
Od: Amos Jeffries 
Komu: squid-users@lists.squid-cache.org
Datum: 23. 7. 2019 11:03:37
Předmět: Re: [squid-users] squid 4 fails to authenticate using NTLM
"On 23/07/19 7:53 am, zby wrote:
> My problem:  my browser keeps on prompting for authentication.
> Facts:
>
> Debian 10 x86_64
> squid-4.6 + samba-4.9
> joined AD using "net ads join -U ...". OK.
> wbinfo -t : OK
> wbinfo -P or -p : OK
> wbinfo -i userXYZ : returns data (OK)
> wbinfo -g (well, fails to "deliver", too many users?)
> smbclient -U userXYZ //host/share : works, logs me in

This is irrelevant to Squid. It only tells that the user account has
filesystem access privileges. Nothing about web access privileges, or
whether the *Squid* user account has access to authenticate user logins.


>
> wbinfo -a domain\\user%pass:
> plaintext password authentication succeeded

"plaintext" means Basic authentication.

> challenge/response password authentication failed
>

Challenge/Response could mean anything auth related.


> sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=ad001
> userw01 Passwd001
> SPNEGO request [userw01 Passwd001] invalid prefix
> BH SPNEGO request invalid prefix
>

"userw01 Passwd001" is not a SPNEGO token.

see


Pass the helper the "KK" request command and the token you see in the
HTTP headers. For example:

KK TlRMTVNTUAADGAAYAIwAAABOAU4BpAoACgBYEAAQAGIa...



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
"___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
"___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users