AW: [squid-users] Re: No Kerberos Auth
OK i found the Problem, If Kerberos activated I have the following iostat Device: rrqm/s wrqm/s r/s w/srkB/swkB/s avgrq-sz avgqu-sz await svctm %util sda 0,00 1306,600,00 192,20 0,00 5779,2060,14 12,77 59,86 3,34 64,16 dm-0 0,00 0,000,00 1507,40 0,00 6029,60 8,00 184,16 114,43 0,43 64,20 dm-1 0,00 0,000,000,00 0,00 0,00 0,00 0,000,00 0,00 0,00 dm-2 0,00 0,000,000,00 0,00 0,00 0,00 0,000,00 0,00 0,00 if I disable Kerberos I get something like this. Device: rrqm/s wrqm/s r/s w/srkB/swkB/s avgrq-sz avgqu-sz await svctm %util sda 0,00 1,200,000,80 0,00 8,0020,00 0,018,75 6,50 0,52 dm-0 0,00 0,000,002,00 0,00 8,00 8,00 0,029,50 2,60 0,52 dm-1 0,00 0,000,000,00 0,00 0,00 0,00 0,000,00 0,00 0,00 dm-2 0,00 0,000,000,00 0,00 0,00 0,00 0,000,00 0,00 0,00 So can someone tell me which files are handled by the helper ??? -Ursprüngliche Nachricht- Von: Jarosch, Ralph [mailto:ralph.jaro...@justiz.niedersachsen.de] Gesendet: Donnerstag, 1. November 2012 13:49 An: Jarosch, Ralph; Markus Moeller; squid-users@squid-cache.org Betreff: AW: [squid-users] Re: No Kerberos Auth Hello Markus, i`ve found some answere from you in this thread http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-High-CPU-load-td4569213.html where you wrote that it is better to deactivate the Kerberos replay cache by KRB5RCACHETYPE=none export KRB5RCACHETYPE So I have made this. But when I now look into /var/tmp I see something like this 524289 4 drwxr-xr-x. 21 root root4096 23. Feb 2012 .. 524658 4 -rw--- 1 root root 6 31. Okt 12:31 host_0 556670 160 -rw--- 1 squid squid 159568 1. Nov 13:37 HTTP_23 556440 644 -rw--- 1 root squid 654291 1. Nov 11:51 HTTP--PROXY--2-044_0 556647 420 -rw--- 1 squid squid 426700 1. Nov 13:45 HTTP--PROXY--2-044_23 556778 348 -rw--- 1 squid squid 355498 1. Nov 13:45 krb5_RC0wgu89 556770 364 -rw--- 1 squid squid 371134 1. Nov 13:45 krb5_RC1QKQZZ 556768 416 -rw--- 1 squid squid 421926 1. Nov 13:45 krb5_RC2ARJDz 556485 316 -rw--- 1 squid squid 322303 1. Nov 13:45 krb5_RC2sAN8f 556531 408 -rw--- 1 squid squid 416501 1. Nov 13:45 krb5_RC320K4T 556553 344 -rw--- 1 squid squid 350302 1. Nov 13:45 krb5_RC3IzwzV 556454 360 -rw--- 1 squid squid 365480 1. Nov 13:45 krb5_RC4EQh3a 556772 344 -rw--- 1 squid squid 350507 1. Nov 13:45 krb5_RC6RujE6 556563 364 -rw--- 1 squid squid 370475 1. Nov 13:45 krb5_RC6tC21J 556549 408 -rw--- 1 squid squid 416501 1. Nov 13:45 krb5_RC80gA4N 556721 416 -rw--- 1 squid squid 425832 1. Nov 13:45 krb5_RC978V2v 556701 364 -rw--- 1 squid squid 371785 1. Nov 13:45 krb5_RC9XR0Kd 556644 4 -rw--- 1 squid squid 6 1. Nov 13:45 krb5_RCaU8YfR 556764 420 -rw--- 1 squid squid 426049 1. Nov 13:45 krb5_RCAzy0sk 556659 376 -rw--- 1 squid squid 384588 1. Nov 13:45 krb5_RCBiW1Mh 556510 312 -rw--- 1 squid squid 316872 1. Nov 13:45 krb5_RCc6zIYF 556508 300 -rw--- 1 squid squid 303631 1. Nov 13:45 krb5_RCcaI3VJ 556461 400 -rw--- 1 squid squid 406085 1. Nov 13:45 krb5_RCClg8Et 556504 344 -rw--- 1 squid squid 348337 1. Nov 13:45 krb5_RCCs6MQJ 556439 4 -rw--- 1 squid squid 2 1. Nov 13:45 krb5_RCdo383X 556566 332 -rw--- 1 squid squid 338789 1. Nov 13:45 krb5_RCE8GITQ 556578 332 -rw--- 1 squid squid 336408 1. Nov 13:45 krb5_RCF9gZsN 556595 460 -rw--- 1 squid squid 470968 1. Nov 13:45 krb5_RCFUodDG 556488 416 -rw--- 1 squid squid 425832 1. Nov 13:45 krb5_RCGTDiEB 556709 332 -rw--- 1 squid squid 337710 1. Nov 13:45 krb5_RCgTwJ3f 556648 348 -rw--- 1 squid squid 353328 1. Nov 13:45 krb5_RCisx5n4 556759 380 -rw--- 1 squid squid 385890 1. Nov 13:45 krb5_RCJEBAOp 556758 340 -rw--- 1 squid squid 344220 1. Nov 13:45 krb5_RCJg0eSd 556432 420 -rw--- 1 squid squid 426049 1. Nov 13:45 krb5_RCJj4rHQ 556481 360 -rw--- 1 squid squid 367662 1. Nov 13:45 krb5_RCJreSOm 556675 352 -rw--- 1 squid squid 359199 1. Nov 13:45 krb5_RCJZYypn 556711 420 -rw--- 1 squid squid 426049 1. Nov 13:45 krb5_RCkRw9Ze 556777 340 -rw--- 1 squid squid 347469 1. Nov 13:45 krb5_RCL3Tgal 556760 344 -rw--- 1 squid squid 350302 1. Nov 13:45 krb5_RCLrZ1Di 556497 408 -rw--- 1 squid squid 416501 1. Nov 13:45 krb5_RClv9U8x 556522 364 -rw--- 1 squid squid 372736 1. Nov 13:45 krb5_RCN4uERP 556773 396 -rw--- 1 squid squid 404335 1. Nov 13:45 krb5_RCNkZeTL 556774 368 -rw--- 1 squid squid 375032
AW: [squid-users] Re: No Kerberos Auth
1. Nov 13:45 krb5_RCVyqbdR 556562 428 -rw--- 1 squid squid 435814 1. Nov 13:45 krb5_RCweNiOb 556767 356 -rw--- 1 squid squid 363105 1. Nov 13:45 krb5_RCX0E5Nx 556528 380 -rw--- 1 squid squid 387184 1. Nov 13:45 krb5_RCxqyzb8 556679 360 -rw--- 1 squid squid 365697 1. Nov 13:45 krb5_RCY3iZtC 556769 420 -rw--- 1 squid squid 426700 1. Nov 13:45 krb5_RCyBEWeQ 556756 380 -rw--- 1 squid squid 386533 1. Nov 13:45 krb5_RCyyMnv4 556757 376 -rw--- 1 squid squid 382852 1. Nov 13:45 krb5_RCz2Efgl 556776 340 -rw--- 1 squid squid 346167 1. Nov 13:45 krb5_RCz5IwSr 556766 344 -rw--- 1 squid squid 349217 1. Nov 13:45 krb5_RCzEkkFY 556436 420 -rw--- 1 squid squid 426049 1. Nov 13:45 krb5_RCZoP903 Why is that happen Do you know some solution ??? Thank you Ralph -Ursprüngliche Nachricht- Von: Jarosch, Ralph [mailto:ralph.jaro...@justiz.niedersachsen.de] Gesendet: Donnerstag, 1. November 2012 11:47 An: Markus Moeller; squid-users@squid-cache.org Betreff: AW: [squid-users] Re: No Kerberos Auth Wonderfull now it works But i`ve got a little bit slow. Is there any limitation how many negotiate_wrapper I can start ? Actually I use 250 and everyone is still busy -Ursprüngliche Nachricht- Von: Markus Moeller [mailto:hua...@moeller.plus.com] Gesendet: Mittwoch, 31. Oktober 2012 21:22 An: squid-users@squid-cache.org Betreff: [squid-users] Re: No Kerberos Auth Hi Ralph, If you use NTLM and Kerberos make sure you do NOT use the sam AD account for both. The samba daemon will change the password on a regular basis which will bring the keytab out of sync with the AD acccount. Your proxy will not need any kerberos cache (except if you use my squid_kerb_ldap module but it is not the root user cache as you show below). Markus "Jarosch, Ralph" wrote in message news:c644cb972edfa3488cfd140b498136231b5e9...@justizcembx14.justiz.niedersachsen.de... I've found this today. why is the last ticket not renewed ?? Could that point the problem [root@http-proxy ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de Valid starting ExpiresService principal 10/30/12 14:47:38 10/31/12 00:47:37 krbtgt/justiz.niedersachsen...@justiz.niedersachsen.de renew until 10/31/12 14:47:38 10/30/12 15:24:49 10/31/12 00:47:37 ldap/justizhadc01.justiz.niedersachsen...@justiz.niedersachsen.de renew until 10/31/12 14:47:38 10/30/12 15:24:49 10/30/12 15:26:49 kadmin/chang...@justiz.niedersachsen.de renew until 10/30/12 15:26:49 -Ursprüngliche Nachricht- Von: Jarosch, Ralph [mailto:ralph.jaro...@justiz.niedersachsen.de] Gesendet: Dienstag, 30. Oktober 2012 15:27 An: Bastien Ceriani Cc: squid-users@squid-cache.org Betreff: AW: [squid-users] No Kerberos Auth I think encrypte Type is already 28. This is the output with -- encrypt 28 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 Von: Jarosch, Ralph Gesendet: Dienstag, 30. Oktober 2012 15:24 An: 'Bastien Ceriani' Cc: squid-users@squid-cache.org Betreff: AW: [squid-users] No Kerberos Auth Oh ok.. yes it work fine until ten minute i wrote the mail. There it crashed from one minute to the other I'am just troubleshoot the problem.. Von: Bastien Ceriani [mailto:bastien.ceri...@bulkypix.com] Gesendet: Dienstag, 30. Oktober 2012 15:16 An: Jarosch, Ralph Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] No Kerberos Auth Ok Thx, With Windows Server 2008 you should use --enctypes 28 parameter with msktutils command. Did your ntlm authentification work fine ? How did you configure it ? With Samba/Winbind ? On Tue, Oct 30, 2012 at 3:08 PM, Jarosch, Ralph wrote: OK for wireshark i must wait for tonight because no one here can work If enable authentication My keytab Keytab name: WRFILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (arcfour-hmac) 6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (aes256-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de (arcfour-hmac) 6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de (aes256-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-pr...@justiz.niedersachsen.de (arcfour-hmac) 6 10/30/12 09:47:42 HTTP/http-pr...@justiz.niedersachsen.de (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-pr...@justiz.niedersachsen.de (aes256-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HOST/http-pr...@justiz.niedersachsen.de (arcfour-hmac) 6
AW: [squid-users] Re: No Kerberos Auth
Wonderfull now it works But i`ve got a little bit slow. Is there any limitation how many negotiate_wrapper I can start ? Actually I use 250 and everyone is still busy -Ursprüngliche Nachricht- Von: Markus Moeller [mailto:hua...@moeller.plus.com] Gesendet: Mittwoch, 31. Oktober 2012 21:22 An: squid-users@squid-cache.org Betreff: [squid-users] Re: No Kerberos Auth Hi Ralph, If you use NTLM and Kerberos make sure you do NOT use the sam AD account for both. The samba daemon will change the password on a regular basis which will bring the keytab out of sync with the AD acccount. Your proxy will not need any kerberos cache (except if you use my squid_kerb_ldap module but it is not the root user cache as you show below). Markus "Jarosch, Ralph" wrote in message news:c644cb972edfa3488cfd140b498136231b5e9...@justizcembx14.justiz.niedersachsen.de... I've found this today. why is the last ticket not renewed ?? Could that point the problem [root@http-proxy ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de Valid starting ExpiresService principal 10/30/12 14:47:38 10/31/12 00:47:37 krbtgt/justiz.niedersachsen...@justiz.niedersachsen.de renew until 10/31/12 14:47:38 10/30/12 15:24:49 10/31/12 00:47:37 ldap/justizhadc01.justiz.niedersachsen...@justiz.niedersachsen.de renew until 10/31/12 14:47:38 10/30/12 15:24:49 10/30/12 15:26:49 kadmin/chang...@justiz.niedersachsen.de renew until 10/30/12 15:26:49 -Ursprüngliche Nachricht- Von: Jarosch, Ralph [mailto:ralph.jaro...@justiz.niedersachsen.de] Gesendet: Dienstag, 30. Oktober 2012 15:27 An: Bastien Ceriani Cc: squid-users@squid-cache.org Betreff: AW: [squid-users] No Kerberos Auth I think encrypte Type is already 28. This is the output with -- encrypt 28 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 Von: Jarosch, Ralph Gesendet: Dienstag, 30. Oktober 2012 15:24 An: 'Bastien Ceriani' Cc: squid-users@squid-cache.org Betreff: AW: [squid-users] No Kerberos Auth Oh ok.. yes it work fine until ten minute i wrote the mail. There it crashed from one minute to the other I'am just troubleshoot the problem.. Von: Bastien Ceriani [mailto:bastien.ceri...@bulkypix.com] Gesendet: Dienstag, 30. Oktober 2012 15:16 An: Jarosch, Ralph Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] No Kerberos Auth Ok Thx, With Windows Server 2008 you should use --enctypes 28 parameter with msktutils command. Did your ntlm authentification work fine ? How did you configure it ? With Samba/Winbind ? On Tue, Oct 30, 2012 at 3:08 PM, Jarosch, Ralph wrote: OK for wireshark i must wait for tonight because no one here can work If enable authentication My keytab Keytab name: WRFILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (arcfour-hmac) 6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (aes256-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de (arcfour-hmac) 6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de (aes256-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-pr...@justiz.niedersachsen.de (arcfour-hmac) 6 10/30/12 09:47:42 HTTP/http-pr...@justiz.niedersachsen.de (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HTTP/http-pr...@justiz.niedersachsen.de (aes256-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HOST/http-pr...@justiz.niedersachsen.de (arcfour-hmac) 6 10/30/12 09:47:42 HOST/http-pr...@justiz.niedersachsen.de (aes128-cts-hmac-sha1-96) 6 10/30/12 09:47:42 HOST/http-pr...@justiz.niedersachsen.de (aes256-cts-hmac-sha1-96) My Squid.conf auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -i -s HTTP/http-proxy.justiz.niedersachsen...@justiz.niedersachsen.de auth_param negotiate children 100 auth_param negotiate keep_alive on auth_param ntlm keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 200 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 200 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours and my msktutil msktutil -c -b "OU=Sonstige Server,OU=Globale Dienste,DC=justiz,DC=niedersachsen,DC=de" -s HTTP/http-proxy.justiz.niedersachsen.de -h http-proxy.justiz.niedersachsen.de -k /etc/HTTP.keytab --computer-name http-proxy --upn HTTP/http-proxy.justiz.niedersachsen.