On 21/02/2013 7:20 p.m., Brett Lymn wrote:
Folks,
I am running 4 proxy servers with squid 3.1.19 (yes, I know it is old,
will update soon) with kerberos authentication behind a F5 load balancer
for a user community of about 2000 people using Windows/I.E.. Normally,
this all works fine, people can surf the web and authentication happens
in background as it should.
The issue we are seeing is around once per month at random one of the
kerberos authenticators seems to start spamming the life out of the
windows AD servers. The event we ID we are seeing on the windows
servers is 0xc000006a which translates to, basically, bad password. We
seem to get this when a user (not always the same one) changes their
password. Clearly, it does not happen every time, we have a password
expiry policy in AD so every is forced to change their password
regularly so we would be seeing the problem a lot more frequently if it
happened every time a user changed their password. It seems to me that
there is some sort of race condition going on where, perhaps, the
authenticators are doing something while the password is being changed,
the authenticators keep using the old details. When this happens the
authenticator seems to spin making requests at a very rapid rate, my
windows admins tell me there are milliseconds between requests and it
fills their logs, also the users account gets locked out due to too many
bad passwords.
There is nothing in the logs indicating anything is wrong. Is this
fixed in a later version? If not, any ideeas on how to troubleshoot?
Can you please try an upgrade to Squid-3.3?
There were a lot of things in 3.1 which could lead to this happening.
Amos
