RE: [squid-users] winbind directories permissions issue
Hello all, I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 running on Solaris 8 with Samba 3.0.32. My clients are essentially running Windows XP SP2 with IE6. authentication scheme is exclusively based on ntlm so this is the reason why winbindd is also running, smbd and nmbd are not running because I think this is not needed. this is all working fine but I randomly get thousands of lines appearing in cache.log file .. see below what I get. [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/l ib/samba/winbindd_privileged are set correctly.] process squid is running as user squid and group squidg so afaik permissions below are correct .. 3429241 drwxr-x--- 5 root squidg512 Dec 4 03:36 /var/lib/samba 3549461 drwxr-x--- 4 root squidg512 Nov 18 01:34 /var/lib/samba/locks 3609791 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/printing 3669891 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/winbindd_privileged 3429308 -rw-r- 1 root squidg 8192 Dec 4 03:37 /var/lib/samba/gencache.tdb 3429321 -rw-r- 1 root squidg696 Nov 18 01:34 /var/lib/samba/idmap_cache.tdb 3429331 -rw-r- 1 root squidg696 Dec 3 17:35 /var/lib/samba/messages.tdb 342935 56 -rw--- 1 root root57344 Dec 3 17:36 /var/lib/samba/winbindd_cache.tdb 342936 29752 -rw-r- 1 root squidg 30441472 Dec 4 09:58 /var/lib/samba/netsamlogon_cache.tdb 1383801 drwxr-x--- 2 root squidg512 Dec 3 17:35 /var/lib/samba/winbindd_privileged 1383810 srwxrwxrwx 1 root root0 Dec 3 17:35 /var/lib/samba/winbindd_privileged/pipe 2225991 drwxr-x--- 2 root squidg512 Dec 4 03:36 /var/lib/samba/smb_krb5 3429371 -rw-r--r-- 1 root root 268 Dec 4 03:36 /var/lib/samba/smb_krb5/krb5.conf.EUROPE I did not find any explanation right now except applying same security settings on directories again and reloading process squid. We are already running squid more than 3 years and never got the problem before .. Can somebody really help me because each time we encounter this issue hundreds of my users are impacted. many thanks for your help. Please first ensure that you DO NOT have cache_effective_group configured in your squid.conf. All squid group settings under this setup need to be OS-defined correctly and working properly that way. yes sure I get 'cache_effective_user squid' 'cache_effective_group squidg' configured in squid config file ... this was alaways so .. is there a specific issue with it ?? The squid.conf configured group forces override of any OS settings from squid point of view. Particularly to the effect of erasing membership of secondary groups and group aliases. Winbind only obeys and verifies against the OS settings, so there is a high likelyhood that your issue is a mismatch between the privileges seen by squid with group configured and the system settings. effective_group may have been needed in 2.5 and earlier and before we sorted out the winbind privileges system. But has really been obsolete since group membership was fixed in Squid-2.6. Amos, many thks for your help .. I made the change yesterday morning and seems to be okay till now. I keep you informed later if this stays as is. I am back, sorry but the problem is happening again do you get some other ideas because this is becoming a real big issue here .. thks. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] SQUID and Checkpoint UTM problem
Dear Support Team, I have a Checkpoint Firewall UTM 270 with Web Filtering function. I have a LAN, DMZ and WAN. In my DMZ I have a SQUID Proxy Server (Squid 2.6 delivered with CentOS 5.2) with Dansguardian (Web Filtering and user group based filtering program) installed. Before I had a Juniper Firewall without Web Filtering function with the same Proxy Server config. My problem is that now with Checkpoint I must add the IP address of my firewall in the ACL's of the proxy server to accessed the internet and in my log files I only can see the firewall's IP address and not my users IP address. I did monitoring with Squid. Can someone help me? Thanks. PS: I did buy this firewall because my reseller told me that this firewall have proxy function with Active Directory connection and user group based web filtering. Now that I had this firewall I see that it didn't make AD connection neighter user group based web filtering. I hoped to remove the Proxy Server and now I must keept it. Kind regards
Re: [squid-users] NTLM Auth for workstation not users
Thank you Rolf. I did the same thing. Reverse lookup for the hostname.
This setup needs a working samba package (already working if using NTLM Auth)
You appear not to understand the real concepts behind authentication and
authorization
Amos, I think you didn't get what I mean, because i managed to make it work
I attached the perl script. Actually it's very fast. I also included a
timeout alarm of 1 sec for nmblookup.
My relevant squid.conf part:
-
external_acl_type host_ad_group children=3 ttl=60 %SRC
/usr/lib/squid/hostname.pl
acl internet_users external ad_group o-ro-cod-internet
acl internet_hosts external host_ad_group o-ro-cod-internet
http_access deny !authenticated all
http_access deny !internet_users !internet_hosts all
http_access allow authenticated
-
This way, i only allow authenticated users, but to access the internet
they need either to be member of the internet group, or their
workstation to be included in the internet group. This was needed
because we have a computer / office dedicated for internet access, and
everybody can use it.
Hope it helps somebody, and maybe it will be included in future relases.
On Fri, Dec 5, 2008 at 3:56 AM, Rolf Loudon [EMAIL PROTECTED] wrote:
Hello
We do authentication by user and by workstation. Our business rules dictate
a scenario like yours, where certain users gets access excepting certain
workstations where any user is able to gain access, and several variations.
In Active Directory we have user groups and workstation groups. We keep them
in separate groups as mixing types of objects in the one group is apparently
not recommended.
For user auth its the usual helper setup querying AD via an LDAP look up
supplying user/pass and group membership.
For workstation auth we wrote a simple short shell script that takes %SRC as
an input and then uses dig to work out the name via a reverse lookup (the
script actually does a bit more checking in case multiple answers are
returned and having to determine - by a forward lookup - which name is the
correct one for the address supplied).
The output of that script produces a computer name which we use as the input
to squid_ldap_group along with the name of the relevant workstation group.
The output of that helper query then tells us whether the computer is in a
certain group and thus we can accept/deny or combine with other values such
as a user's membership of some other group and so on.
Works fine with the notable requirement that dns lookups must be current and
in-addr.arpa zones are setup and consistent.
regards
r.
Razvan Grigore wrote:
What you are looking for is winbind helper. It runs as an external ACL.
Any other approach will also need to run an external ACL, so the answer
to
your seconds question is yes and the example is winbind.
The winbind helper is declared like this:
external_acl_type ad_group children=3 ttl=120 %LOGIN
/usr/lib/squid/wbinfo_group.pl
I pass to it only the username. What I want is allow ANY username
(even if it's not member of Internet AD group) who is logged on a
computer member of this Internet group. I guess i have to pass the
%SRC variable to a external helper and user nmblookup to get the
computer name and then i'm stuck.
Any ideas?
Razvan
You appear not to understand the real concepts behind authentication and
authorization
You can authenticate a username/password pair, regardless of location.
(standard login)
THEN you can use the username/password to retrieve and verify a particular
group for the username/password (winbind group external ACL).
THEN you can also verify a location with one of the username/password or
username/password/group tuplets.
You cannot use AD _user_ groups to assign a group membership to a
_location_ while ignoring username.
For the setup you are now describing the secure way to do it is to ignore
username completely and use the location (source IP) in an ACL. As has been
mentioned several times already.
You can _additional_ to that, to force users to login correctly (anyone
with valid username/password pair) before the external ACL gets run. But
even then the external ACL MUST ignore the login details it gets.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1
#!/usr/bin/perl
#
# external_acl helper for Squid to verify NT Domain group
# membership of a computername using his IP address
#
# Author:
# Razvan Grigore [EMAIL PROTECTED]
#
# Version history:
# 2008-12-05 Razvan Grigore [EMAIL PROTECTED]
# Initial release
# Disable output buffering
$|=1;
#
# Find out IP's hostname
#
sub getname {
local($ip) = @_;
$SIG{ALRM} = sub { die(); };
eval {
$hostname = ;
alarm 1;
$hostname = `/usr/bin/nmblookup
Re: [squid-users] Fwd: website problem via squid
On Sun, Dec 7, 2008 at 5:22 AM, Henrik Nordstrom [EMAIL PROTECTED] wrote: mån 2008-11-24 klockan 17:46 -0600 skrev Joe Pukepail: Hello, I'm having problems with www.morgankeegan.com especially this page http://www.morgankeegan.com/ECM/ECMHome.htm when accessed through squid. When we attempt to view this site it does not finish rendering (we are using IE, have tested it with 6.0 and 7.0). I have checked to see if it is there was any java trying to connect directly, have setup a test system with a bare config (normally we use NTLM) and have not been able to find out what is different about this site. Sounds like the site is behind a broken firewall crashing TCP Window Scaling. http://wiki.squid-cache.org/KnowledgeBase/BrokenWindowSize That was exactly what it was, changed that on our server and everything is good now, Thanks!
Re: [squid-users] why http code status is 0 when tcp_hit:none ?
mån 2008-12-08 klockan 09:28 +0800 skrev William Hanwoody: I have abserved squid logs at that time. When this happened, the response time of squid is often more than 30 seconds, and no other urls are abnormal. Are you using any of the following features in squid.conf? external_acl_type acl type dst acl type ident http_reply_access url_rewrite_program / redirector_program auth_param collapsed_forwarding and I often find abnormal output of squidclient: Memory usage for squid via mallinfo(): Total space in arena: -1980532 KB here, memory size always is negative value? int overflow? That's normal. Linux glibc mallinfo() is broken for processes larger than 2GB. Regards Henrik
[squid-users] redirect large files via second provider
my squid box has 2 internet providers. how can it be configured to proxy large file downloads via concrete provider? couldn't find anywhere :( thanks in advance.
Re: [squid-users] redirect large files via second provider
On 08.12.08 07:30, mvard wrote: my squid box has 2 internet providers. how can it be configured to proxy large file downloads via concrete provider? very, very hard. Squid does not know the size of object before it fetches it. Sometimes it CAN send HEAD request prior to GET request, and sometimes it gets the size in the reply, but that's not always, and sending HEAD prior to each GET would slow down fetching each object very much. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
[squid-users] Multiple Subnets
Hello, We have been using DansGuardian web filtering software with Squid 2.x on an Ubuntu server as a transparent proxy for our school district's WAN gateway for a few years now with no problems. We have also used Squid3 on another server with no issues. We are now replacing the gateway server with a new Ubuntu (8.04) box, with Squid 3.0.STABLE1, and the latest version of DansGuardian. It is setup almost identically to the previous server, and it works ok when put in place of that old server, with one major problem - it only works for hosts on the subnet it's in. All of our other subnets in our WAN cannot access the web at all. When a host from from one of our other subnets tries to view a web page, the DansGuardian log shows something like: IP_OF_HOST http://www.foo.com/ *EXCEPTION* Exception site match. GET 5733 0 1 200 - - Then the DansGuardian passes the request to Squid, and we get this: 127.0.0.1 TCP_MISS/301 531 GET http://www.foo.com/ - NONE/- text/html then nothing else. No more Squid log entries for that request, and the host just times out. We don't know for sure this is a Squid issue, and not a DansGuardian issue, but it looks like it. We've also done several searches for subnet-related Squid issues, and have not been able to find anything yet. We are assuming it is not an ACL issue, since all requests originate from 127.0.0.1, but we have tried opening those up wide also, to no affect. And again, for the subnet the server is on, it works great, and the old 2.x squid server worked fine for all subnets. Are we missing something silly and obvious? Any suggestions?
[squid-users] Problem with Squid 3 and secure web sites
We are currently using Squid 3 3.0.STABLE9-6.1 on SuSE Linux Enterprise Server 10 SP1 (latest version I could find built on opensuse.org for SLES). The problem we're having is that some web sites either don't work or are so slow they're unusable. One web site we're accessing has a web page that never seems to load. I can hit stop in IE and the web page comes up but isn't complete. If we bypass the proxy the web pages come up in less than a second. Through the proxy we finally hit the stop button in IE after waiting more than 30 seconds. We see the following in the access log: 08/Dec/2008:08:27:58 5451 ip addr deleted TCP_MISS/200 4514 CONNECT web site deleted:443 user deleted DIRECT/ip deleted - We are using identd on workstations for user identification. Has anyone seen this kind of thing happen? It doesn't happen to all web sites.
[squid-users] snmpwalk issue squid 2.5
First off , I'm posting this question here because it appears the SNMP mailing list is now defunct. If this is the wrong list to post this please let me know and I'll repost it in the correct one. First I'm running squid with snmp enabled on Centos 4.7. the version of squid is the most recent offered for 4.7: squid-2.5.STABLE14-4.el4. this is my entire snmp configuration (with names and variables changed to protect the innocent ;-)) acl chapmansnmp snmp_community publ!c snmp_port 3401 snmp_access deny chapmansnmp !chapman1 We are using Rapid7's NeXpose software for vulnerability testing. What was discovered is that an snmpwalk done with anything used as the snmp community string and squid responds back. I've also seen the same results from a Nessus scan (I believe Rapid7 software is based on Nessus but thought I'd try it anyway. I've also seen similar results posted on the Internet). I've tried modifying my community string to see if the special characters are causing the issue but that didn't fix it. Here is an example of an snmpwalk done on one of our proxy servers: (Note that the community string given is public. That was not a valid community string on the box. I tried all kinds of things and everything worked. C:\Documents and Settings\mfergusonsnmpwalk -c public -v 2c 10.160.57.34:3401 .1.3 SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 100 SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 4856 SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (1750887) 4:51:48.87 SNMPv2-SMI::enterprises.3495.1.2.1.0 = STRING: root SNMPv2-SMI::enterprises.3495.1.2.2.0 = STRING: squid SNMPv2-SMI::enterprises.3495.1.2.3.0 = STRING: 2.5.STABLE14 SNMPv2-SMI::enterprises.3495.1.2.4.0 = STRING: ALL,1 SNMPv2-SMI::enterprises.3495.1.2.5.1.0 = INTEGER: 8 SNMPv2-SMI::enterprises.3495.1.2.5.2.0 = INTEGER: 100 SNMPv2-SMI::enterprises.3495.1.2.5.3.0 = INTEGER: 95 SNMPv2-SMI::enterprises.3495.1.2.5.4.0 = INTEGER: 90 SNMPv2-SMI::enterprises.3495.1.3.1.1.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.1.2.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.1.3.0 = INTEGER: 136 SNMPv2-SMI::enterprises.3495.1.3.1.4.0 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.1.5.0 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.1.6.0 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.1.7.0 = Gauge32: 43 SNMPv2-SMI::enterprises.3495.1.3.1.8.0 = Timeticks: (0) 0:00:00.00 SNMPv2-SMI::enterprises.3495.1.3.1.9.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.1.10.0 = Gauge32: 1015 SNMPv2-SMI::enterprises.3495.1.3.1.11.0 = Gauge32: 100 SNMPv2-SMI::enterprises.3495.1.3.2.1.1.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.2.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.3.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.4.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.5.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.6.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.7.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.8.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.9.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.10.0 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.11.0 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.12.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.13.0 = Counter32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.1.14.0 = Gauge32: 4856 SNMPv2-SMI::enterprises.3495.1.3.2.1.15.0 = Gauge32: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.1.5 = INTEGER: 5 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.1.60 = INTEGER: 60 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.2.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.2.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.2.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.3.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.3.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.3.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.4.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.4.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.4.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.5.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.5.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.5.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.6.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.6.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.6.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.7.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.7.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.7.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.8.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.8.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.8.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.9.1 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.9.5 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.9.60 = INTEGER: 0 SNMPv2-SMI::enterprises.3495.1.3.2.2.1.10.1 =
[squid-users] WCCP2 service info
Hi, When defining a wccp2 dynamic service group it seems that it only allows for a finite list of up to 8 ports which should be redirected to the squid box. In my case I don't want to statically list the ports to be redirected in the squid config and 8 is too few. Is there any way, whether in wccp2 config or router config, that I can say just redirect all ports to the squid box? Thanks.
Re: [squid-users] redirect large files via second provider
mån 2008-12-08 klockan 07:30 -0800 skrev mvard: my squid box has 2 internet providers. how can it be configured to proxy large file downloads via concrete provider? It's not possible to do it 100% right, but you can make very good approximations. Basically it boils down to using url patters to guess if a request is a download or not, and then route the request appropriately, using either cache peers or tcp_outgoing_address to select the isp to use. use of tcp_outgoing_address requires a good understanding of how to operate multihomed hosts. Regards Henrik
Re: [squid-users] Problem with Squid 3 and secure web sites
mån 2008-12-08 klockan 08:33 -0800 skrev Sean Eckton: We are currently using Squid 3 3.0.STABLE9-6.1 on SuSE Linux Enterprise Server 10 SP1 (latest version I could find built on opensuse.org for SLES). The problem we're having is that some web sites either don't work or are so slow they're unusable. One web site we're accessing has a web page that never seems to load. This is usually windows scaling issues. Many sites are still using broken firewalls which can't deal properly with TCP window scaling. TCP Windows Scaling was declared an official TCP/IP standard in 1992, proposed standard some years earlier. But as the most common desktop OS:es have not been using TCP Window Scaling many vendors ignored the issue... but the Linux kernel people have selected not to ignore the problem and make it visible by not aggressively working around brokenness. http://wiki.squid-cache.org/KnowledgeBase/BrokenWindowSize Regards Henrik
Re: [squid-users] Multiple Subnets
If we are using iptables iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 would that cause it to appear as a redirect? or that fact that the traffic is going through the dansguardian first? I do think that maybe I have narrowed the problem down to an iptables issue. If I do iptables -v -t nat -L it shows no packets being filtered, even if I set a browser on one of the remote subnets to have the squid's ip and port 80. Here is a little bit more info about the setup. squid listening on port 3128 dansguardian listening on port 8080 communicating to squid at 127.0.0.1 port 3128 iptables taking port 80 traffic and sending it to port 8080(where the dansguardian gets it obviously). Pretty standard dansguardian/squid transparent proxy setup I think. And it works fine on the subnet local to the dansguardian/squid. Thanks On Mon, Dec 8, 2008 at 3:56 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: mån 2008-12-08 klockan 11:08 -0500 skrev Nick Sintros: 127.0.0.1 TCP_MISS/301 531 GET http://www.foo.com/ - NONE/- text/html 301 is a redirect.. are you using an url rewriter helper as well? (url_rewrite_program / redirect_program) Regards Henrik
Re: [squid-users] snmpwalk issue squid 2.5
Ausmus, Matt wrote: First off , I'm posting this question here because it appears the SNMP mailing list is now defunct. If this is the wrong list to post this please let me know and I'll repost it in the correct one. First I'm running squid with snmp enabled on Centos 4.7. the version of squid is the most recent offered for 4.7: squid-2.5.STABLE14-4.el4. this is my entire snmp configuration (with names and variables changed to protect the innocent ;-)) acl chapmansnmp snmp_community publ!c snmp_port 3401 snmp_access deny chapmansnmp !chapman1 So what does the chapman1 acl look like? You have an snmp_access deny line, but no allow line? I've always seen explicit snmp_access allow followed by snmp_access deny all. Is there a reason you are taking a different route? We are using Rapid7's NeXpose software for vulnerability testing. What was discovered is that an snmpwalk done with anything used as the snmp community string and squid responds back. I've also seen the same results from a Nessus scan (I believe Rapid7 software is based on Nessus but thought I'd try it anyway. I've also seen similar results posted on the Internet). I've tried modifying my community string to see if the special characters are causing the issue but that didn't fix it. Here is an example of an snmpwalk done on one of our proxy servers: (Note that the community string given is public. That was not a valid community string on the box. I tried all kinds of things and everything worked. C:\Documents and Settings\mfergusonsnmpwalk -c public -v 2c 10.160.57.34:3401 .1.3 SNMP walk results omitted. Any idea of a work around or a fix? Is this something that has been fixed in a later version or is it scheduled to be fixed? Thanks for your time. Matt Ausmus Network Administrator Chapman University 635 West Palm Street Orange, CA 92868 (714)628-2738 [EMAIL PROTECTED] Man will occasionally stumble over the truth, but most of the time he will pick himself up and continue on. - Churchill's Commentary on Man
RE: [squid-users] winbind directories permissions issue
Hello all, I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 running on Solaris 8 with Samba 3.0.32. My clients are essentially running Windows XP SP2 with IE6. authentication scheme is exclusively based on ntlm so this is the reason why winbindd is also running, smbd and nmbd are not running because I think this is not needed. this is all working fine but I randomly get thousands of lines appearing in cache.log file .. see below what I get. [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/l ib/samba/winbindd_privileged are set correctly.] process squid is running as user squid and group squidg so afaik permissions below are correct .. 3429241 drwxr-x--- 5 root squidg512 Dec 4 03:36 /var/lib/samba 3549461 drwxr-x--- 4 root squidg512 Nov 18 01:34 /var/lib/samba/locks 3609791 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/printing 3669891 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/winbindd_privileged 3429308 -rw-r- 1 root squidg 8192 Dec 4 03:37 /var/lib/samba/gencache.tdb 3429321 -rw-r- 1 root squidg696 Nov 18 01:34 /var/lib/samba/idmap_cache.tdb 3429331 -rw-r- 1 root squidg696 Dec 3 17:35 /var/lib/samba/messages.tdb 342935 56 -rw--- 1 root root57344 Dec 3 17:36 /var/lib/samba/winbindd_cache.tdb 342936 29752 -rw-r- 1 root squidg 30441472 Dec 4 09:58 /var/lib/samba/netsamlogon_cache.tdb 1383801 drwxr-x--- 2 root squidg512 Dec 3 17:35 /var/lib/samba/winbindd_privileged 1383810 srwxrwxrwx 1 root root0 Dec 3 17:35 /var/lib/samba/winbindd_privileged/pipe 2225991 drwxr-x--- 2 root squidg512 Dec 4 03:36 /var/lib/samba/smb_krb5 3429371 -rw-r--r-- 1 root root 268 Dec 4 03:36 /var/lib/samba/smb_krb5/krb5.conf.EUROPE I did not find any explanation right now except applying same security settings on directories again and reloading process squid. We are already running squid more than 3 years and never got the problem before .. Can somebody really help me because each time we encounter this issue hundreds of my users are impacted. many thanks for your help. Please first ensure that you DO NOT have cache_effective_group configured in your squid.conf. All squid group settings under this setup need to be OS-defined correctly and working properly that way. yes sure I get 'cache_effective_user squid' 'cache_effective_group squidg' configured in squid config file ... this was alaways so .. is there a specific issue with it ?? The squid.conf configured group forces override of any OS settings from squid point of view. Particularly to the effect of erasing membership of secondary groups and group aliases. Winbind only obeys and verifies against the OS settings, so there is a high likelyhood that your issue is a mismatch between the privileges seen by squid with group configured and the system settings. effective_group may have been needed in 2.5 and earlier and before we sorted out the winbind privileges system. But has really been obsolete since group membership was fixed in Squid-2.6. Amos, many thks for your help .. I made the change yesterday morning and seems to be okay till now. I keep you informed later if this stays as is. I am back, sorry but the problem is happening again do you get some other ideas because this is becoming a real big issue here .. thks. Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full ls -la trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. This will be needed by anyone who may be more able to help. Amos
Re: [squid-users] SQUID and Checkpoint UTM problem
Dear Support Team, I have a Checkpoint Firewall UTM 270 with Web Filtering function. I have a LAN, DMZ and WAN. In my DMZ I have a SQUID Proxy Server (Squid 2.6 delivered with CentOS 5.2) with Dansguardian (Web Filtering and user group based filtering program) installed. Before I had a Juniper Firewall without Web Filtering function with the same Proxy Server config. My problem is that now with Checkpoint I must add the IP address of my firewall in the ACL's of the proxy server to accessed the internet and in my log files I only can see the firewall's IP address and not my users IP address. I did monitoring with Squid. Can someone help me? Thanks. You need to do Policy Routing or WCCP from the firewall to the proxy. It sounds exactly like the firewall is performing NAT, which destroys the client IP info you need to monitor. http://wiki.squid-cache.org/ConfigExamples/Intercept/ PS: I did buy this firewall because my reseller told me that this firewall have proxy function with Active Directory connection and user group based web filtering. Now that I had this firewall I see that it didn't make AD connection neighter user group based web filtering. I hoped to remove the Proxy Server and now I must keept it. Sold under false premise, you should get your money back from them or a replacement that works as advertised. Kind regards Amos
Re: [squid-users] snmpwalk issue squid 2.5
mån 2008-12-08 klockan 10:34 -0800 skrev Ausmus, Matt: First off , I'm posting this question here because it appears the SNMP mailing list is now defunct. If this is the wrong list to post this please let me know and I'll repost it in the correct one. First I'm running squid with snmp enabled on Centos 4.7. the version of squid is the most recent offered for 4.7: squid-2.5.STABLE14-4.el4. this is my entire snmp configuration (with names and variables changed to protect the innocent ;-)) acl chapmansnmp snmp_community publ!c snmp_port 3401 snmp_access deny chapmansnmp !chapman1 That's not right. Squid access rules has an implicity inverse of the last rule, i.e. the above is implicit followed by snmp_access allow all And says allow anyone to query for SNMP, except that only chapman1 is allowed to use the public snmp community. Any other community is ok for anyone to use, just not public. You probably want snmp_access allow chapmansnmp chapman1 which gets implicitly followed by snmp_access deny all Regards Henrik
Re: [squid-users] WCCP2 service info
mån 2008-12-08 klockan 20:51 + skrev kgardenia42: Hi, When defining a wccp2 dynamic service group it seems that it only allows for a finite list of up to 8 ports which should be redirected to the squid box. In my case I don't want to statically list the ports to be redirected in the squid config and 8 is too few. Is there any way, whether in wccp2 config or router config, that I can say just redirect all ports to the squid box? Should be to just define a service with no ports specified. Regards Henrik
Re: [squid-users] why http code status is 0 when tcp_hit:none ?
mån 2008-12-08 klockan 09:28 +0800 skrev William Hanwoody:
I have abserved squid logs at that time.
When this happened, the response time of squid is often more than 30
seconds, and no other urls are abnormal.
Are you using any of the following features in squid.conf?
external_acl_type
acl type dst
acl type ident
http_reply_access
url_rewrite_program / redirector_program
auth_param
collapsed_forwarding
my squid configuration:
--
http_port 80 accel vhost vport=80 defaultsite=.com.cn
icp_port 0
udp_incoming_address 127.0.0.1
udp_outgoing_address 0.0.0.0
hierarchy_stoplist cgi-bin ?
cache_vary on
via off
persistent_request_timeout 2 seconds
client_persistent_connections off
server_persistent_connections on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 1800 MB
maximum_object_size 16384 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 1024 KB
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir null /data1/squid/var/cache
strip_query_terms off
logformat combined %a %ui %un [%tl] %tr %rm %ru
HTTP/%rv %Hs %st %{Referer}h %{User-Agent}h %Ss:%Sh
cache_access_log /data1/squid/var/logs/access.log combined
cache_log /data1/squid/var/logs/squid.log
cache_store_log none
logfile_rotate 20
emulate_httpd_log on
pid_filename /data1/squid/var/logs/squid.pid
hosts_file /usr/local/squid/etc/hosts.squid
mime_table /usr/local/squid/etc/mime.conf
diskd_program /usr/local/squid/sbin/diskd-daemon
unlinkd_program /usr/local/squid/sbin/unlinkd
icon_directory /usr/local/squid/share/icons
error_directory /usr/local/squid/share/errors/English
negative_ttl 120 seconds
acl haproxy src 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16
follow_x_forwarded_for allow haproxy
acl_uses_indirect_client on
log_uses_indirect_client on
acl QUERY urlpath_regex cgi-bin
cache deny QUERY
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl allowed_localports port 80
acl allowed_ports port 80
acl allowed_methods method GET
acl allowed_methods method HEAD
acl Purge_method method PURGE
acl purgehost dst 10.1.2.2
http_access allow Purge_method purgehost
http_access allow manager localhost
http_access deny manager all
http_access allow allowed_localports
http_access deny !allowed_methods
http_access deny !allowed_ports
http_access deny !allowed_doms
http_access deny !allowed_hosts
http_access deny to_localhost
http_access deny QUERY
http_access allow all
http_reply_access allow all
cachemgr_passwd none all
icp_access deny all
reply_body_max_size 0 allow all
always_direct allow allowed_doms
visible_hostname .com.cn
cache_effective_user www
cache_effective_group www
--
there is http_reply_access in squid.conf.
Thanks again for your relpy.
and I often find abnormal output of squidclient:
Memory usage for squid via mallinfo():
Total space in arena: -1980532 KB
here, memory size always is negative value? int overflow?
That's normal. Linux glibc mallinfo() is broken for processes larger
than 2GB.
Regards
Henrik
Re: [squid-users] why http code status is 0 when tcp_hit:none ?
by the way, I run 3 squid processes in different port. and 3 processes run in different cpu. Is it probably caused by this? mån 2008-12-08 klockan 09:28 +0800 skrev William Hanwoody: I have abserved squid logs at that time. When this happened, the response time of squid is often more than 30 seconds, and no other urls are abnormal. Are you using any of the following features in squid.conf? external_acl_type acl type dst acl type ident http_reply_access url_rewrite_program / redirector_program auth_param collapsed_forwarding and I often find abnormal output of squidclient: Memory usage for squid via mallinfo(): Total space in arena: -1980532 KB here, memory size always is negative value? int overflow? That's normal. Linux glibc mallinfo() is broken for processes larger than 2GB. Regards Henrik
[squid-users] Era time in logs from GMT to my GMT
Hi squids, As you know, squid timestamp is based in GMT0 era time. I'm living at GMT -6 but after doing my log pharsing report we realize that time is based as if you were at GMT0. Is there a way to tell squid to log with a -6 offset? I dont want to move my time at my server, because all other logs has time correctly. Best regards, LD
[squid-users] issue with htcp support on squid
While I am trying HTCP support for squid 3.0 stable 10, I ran into some issues. Hope someone could give me some leads on how to solve it. Here is my setting. I have two Linux running squid, which is compiled with --enable-htcp. One is used as parent for the other. On the parent side (188.168.75.20). I put the following configs: localnet 188.168.0.0/16 htcp_port 4827 htcp_access allow localnet htcp_access deny all On the child side (188.168.77.20), I put the following configs: localcnet 188.168.0.0/16 htcp_port 4827 htcp_access allow localnet htcp_access deny all cache_peer 188.168.75.20 3128 4827 htcp However, whenever I am trying to access any website that is not in the cache of the child, curl returns the following error code: curl: (52) Empty reply from server I hope that I explained it clearly enough. Any suggestioin is highly appreciated
Re: [squid-users] Era time in logs from GMT to my GMT
On Tue, Dec 9, 2008 at 4:09 AM, Luis Daniel Lucio Quiroz [EMAIL PROTECTED] wrote: Hi squids, As you know, squid timestamp is based in GMT0 era time. I'm living at GMT -6 but after doing my log pharsing report we realize that time is based as if you were at GMT0. Is there a way to tell squid to log with a -6 offset? I dont want to move my time at my server, because all other logs has time correctly. Best regards, You can define a custom log format, see squid.conf or squid.conf.documented. Be aware that this will probably break any log analysis tool which expects the log to be in native squid format. Alternatively you can translate the time when you read the log. See http://wiki.squid-cache.org/SquidFaq/SquidLogs#head-de34519356ecd6791303987f0ee79b043199374b -- /kinkie
Re: [squid-users] How to interrupt ongoing transfers?
Henrik, Thanks a lot for your suggestions. I guess I will have to take a look at the source, as you said. I will keep the list informed if I am able to solve this somehow. Thanks Regards, Kaustav - Original Message From: Henrik Nordstrom [EMAIL PROTECTED] To: Kaustav Dey Biswas [EMAIL PROTECTED] Cc: Squid squid-users@squid-cache.org Sent: Monday, 8 December, 2008 1:22:33 AM Subject: Re: [squid-users] How to interrupt ongoing transfers? mån 2008-12-08 klockan 00:31 +0530 skrev Kaustav Dey Biswas: Actually, I need to implement the quota system as a part of my final year Engineering project. I am planning to make it as a sort of an add-on package over Squid, which will be compatible with all current versions of Squid. As you can see, modifying the Squid source code is not an option for me. There is no builtin feature in Squid to selectively abort active requests. Modifying the Squid source will be required for this. Please let me know if there is any way (or workaround) by which I can interrupt ongoing transfers in current versions of Squid without having to patch rebuild it. I guess you could do it at the network layer by faking RST packets to Squid or the client, but it's harder and more error prone than extending Squid. Regards Henrik Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
Re: [squid-users] How to interrupt ongoing transfers?
Adrian, Thanks again for your quick response. I will take a look at the source code to see what I can do. Thanks Regards, Kaustav - Original Message From: Adrian Chadd [EMAIL PROTECTED] To: Kaustav Dey Biswas [EMAIL PROTECTED] Cc: Squid squid-users@squid-cache.org Sent: Monday, 8 December, 2008 7:22:13 AM Subject: Re: [squid-users] How to interrupt ongoing transfers? There isn't. Sorry. Adrian 2008/12/7 Kaustav Dey Biswas [EMAIL PROTECTED]: Hi Adrian, Thanks a lot for your prompt reply. Actually, I need to implement the quota system as a part of my final year Engineering project. I am planning to make it as a sort of an add-on package over Squid, which will be compatible with all current versions of Squid. As you can see, modifying the Squid source code is not an option for me. Please let me know if there is any way (or workaround) by which I can interrupt ongoing transfers in current versions of Squid without having to patch rebuild it. Thanks Regards, Kaustav - Original Message From: Adrian Chadd [EMAIL PROTECTED] To: Kaustav Dey Biswas [EMAIL PROTECTED] Cc: Squid squid-users@squid-cache.org Sent: Saturday, 6 December, 2008 12:28:10 AM Subject: Re: [squid-users] How to interrupt ongoing transfers? Someone may beat me to this, but I'm actually proposing a quote to a company to implement quota services in Squid to support stuff just like what you've asked for. I'll keep the list posted about this. Hopefully I'll get the green light in a week or so and can begin work on implementing the functionality in Squid-2. Thanks, Adrian 2008/12/5 Kaustav Dey Biswas [EMAIL PROTECTED]: Hi, I am a squid newbie. I am trying to set up daily download quotas for NCSA authorized users. I have a daemon running which checks the log files, and whnever the download limit is reached (for a particular user), it blocks that user in the config and reconfigures squid (squid -k reconfigure) for the changes to take effect. The problem is, if an http/ftp transfer is on (for that user), the changes made in the config doesnt take effect until that transfer session completes. Is there any way I can interrupt the transfer somehow (or say, force squid to re-read its ACL) without affecting sessions of other users? Thanks Regards, Kaustav Dey Biswas Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/ Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
