Re: [squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos helper issues

[Marek Greško]

Hello,

did not you change the password on the account? If you change password you
should recreate the keytab.

Marek


ut 24. 5. 2022 o 14:23 Suporte - Konntrol 
napísal(a):

> Thanks Amos.
> I have recreated the keytab and it is back working, although I will need
> to better investigate the root cause of it.
> I will check the expiration time as you mentioned.
>
> Thanks once again!
> Fabricio.
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Amos Jeffries
> Sent: Saturday, May 21, 2022 2:50 AM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos
> helper issues
>
> On 21/05/22 04:51, Suporte - Konntrol wrote:
> > Hello everyone,
> >
> > Greetings.
> >
> > I got a strange situation with my SQUID 4.1 (FreeBSD 12.2 Stable
> > environment).
> >
> > Everything was working fine with Kerberos configuration and suddenly
> > it stopped with the following error:
> >
> > ==> /var/squid/logs/cache.log <==
> >
> > negotiate_kerberos_auth.cc(182): pid=85679 :2022/05/20 13:35:43|
> > negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No
> > credentials were supplied, or the credentials were unavailable or
> > inaccessible. No principal in keytab matches desired name
> >
> > 2022/05/20 13:35:43| negotiate_kerberos_auth: INFO: User not
> > authenticated
> >
> > Judging by the “No principal in keytab matches desired name” message,
> > I went immediately to the AD object to check if it was really missing
> > the Principal entry.
> >
> > To my surprise, everything is there. (talking about the
> > HTTP/fqdn@REALM entry).
>
> That error message has a lot of parts.  Check the debug trace to see if
> you can find out what that "desired name" is for that lookup. It may be
> something odd going on there.
>
> Also, notice the character cases. Sometimes it matters, so best to make
> sure they always line up.
>
>
> >
> > Also, I checked the contents of my keytab, which looks OK, as it
> > contains the HTTP/server01.mydomain.c...@mydomain.corp entry as well.
> >
> > Additionally, I checked the DNS configuration for the PTR and Reverse
> > entries. It looks OK as well.
> >
> > I have used “net ads join
> > createupn=HTTP/server01.mydomain.c...@mydomain.corp -k” commands to
> Join
> > the Squid machine to Domain, and “net ads keytab create -k” to create a
> > keytab.
> >
> > Also, used the command “net ads keytab add HTTP” to add the HTTP entry
> > to the keytab.
> >
> ...
> >
> > As I mentioned, that was working for months, then stopped.
> >
>
> IME, this type of sudden delayed breakage usually occurs when there is
> some validity period associated with the credentials in the keytab (or
> domain controller which created it). There is a disclaimer in the wiki
> about the "net ads" under some conditions adding an expiry time.
>
> <
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab
> >
>
> Rebuilding the keytab with kinit and msktutil may fix it for you.
>
>
> HTH
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl-bump connect issues

[Jernej Porenta]

Hey,

thank you for your response.

>> The logs show that clients did issue a CONNECT, however the connections are 
>> stuck (and eventually timeout) and netstat is showing exactly 10 connections 
>> in SYN_SENT state towards npm registry. I am kinda puzzled, where this 
>> number comes from.
> 
> This sounds a bit like other situations where the sslcrtd_program helper has 
> hung and stopped generating certificates.

I've checked that and it seems this part is working just fine.

> 
>> Big thank you in advance, br, Jernej
>> The "relevant" parts of my configurations are:
>> acl intermediate_fetching transaction_initiator certificate-fetching
>> http_access allow intermediate_fetching
> 
> This is not all of the required http_access rules. Please list them all.

You can check the whole configuration file here: https://pastebin.com/h7ryfArx

> 
>> http_port 80 ssl-bump generate-host-certificates=on 
>> dynamic_cert_mem_cache_size=20MB 
>> tls-cert=/etc/squid/certs/squid-self-signed.crt 
>> tls-key=/etc/squid/certs/squid-self-signed.key 
>> cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS 
>> options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
>> tls-dh=prime256v1:/etc/squid/certs/squid-self-signed_dhparam.pem 
>> disable-pmtu-discovery=transparent
>> sslcrtd_program /usr/lib/squid/security_file_certgen -s 
>> /var/spool/squid/ssl_db -M 20MB
>> sslcrtd_children 8
>> ssl_bump server-first all
> 
> 
> This "server-first" action is outdated. Please upgrade. The modern equivalent 
> would be:
> 
>  acl step1 at_step SslBump1
>  ssl_bump peek step1
>  ssl_bump bump cachedSites
>  ssl_bump splice all

Updated it to your recommendation.

> 
>> sslproxy_cert_error deny all
> 
> This may be hiding symptoms you need to figure the problem out. It is best to 
> start with everything allowed and only deny the specific errors that are not 
> relevant to the client(s).

I've tried to comment it out but there was no difference.

>> # dns
>> positive_dns_ttl 31 seconds
>> negative_dns_ttl 30 seconds
> 
> These also may be the source of problems. They prevent Squid from obeying 
> short-TTL on DNS responses typically used by repositories to load balance 
> large amounts of traffic and/or server failure recovery.

Removed.

I've ran some additional test and found out that one of the servers (which is 
resolved from yarnpkg.com) is not accessible and it seeems that that one is 
causing all the others to halt. Once the connect_timeout period is over, new 
batch of requests is processed without a problem.

Is there a way to disable this behaviour? (or maybe it is actually yarn's 
behaviour that stops requesting if registry is not available?)

Thank you in advance, br, Jernej
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos helper issues

[Suporte - Konntrol]

Thanks Amos.
I have recreated the keytab and it is back working, although I will need to 
better investigate the root cause of it.
I will check the expiration time as you mentioned.

Thanks once again!
Fabricio.

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Saturday, May 21, 2022 2:50 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos helper 
issues

On 21/05/22 04:51, Suporte - Konntrol wrote:
> Hello everyone,
> 
> Greetings.
> 
> I got a strange situation with my SQUID 4.1 (FreeBSD 12.2 Stable 
> environment).
> 
> Everything was working fine with Kerberos configuration and suddenly 
> it stopped with the following error:
> 
> ==> /var/squid/logs/cache.log <==
> 
> negotiate_kerberos_auth.cc(182): pid=85679 :2022/05/20 13:35:43|
> negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No 
> credentials were supplied, or the credentials were unavailable or 
> inaccessible. No principal in keytab matches desired name
> 
> 2022/05/20 13:35:43| negotiate_kerberos_auth: INFO: User not 
> authenticated
> 
> Judging by the “No principal in keytab matches desired name” message, 
> I went immediately to the AD object to check if it was really missing 
> the Principal entry.
> 
> To my surprise, everything is there. (talking about the 
> HTTP/fqdn@REALM entry).

That error message has a lot of parts.  Check the debug trace to see if you can 
find out what that "desired name" is for that lookup. It may be something odd 
going on there.

Also, notice the character cases. Sometimes it matters, so best to make sure 
they always line up.


> 
> Also, I checked the contents of my keytab, which looks OK, as it 
> contains the HTTP/server01.mydomain.c...@mydomain.corp entry as well.
> 
> Additionally, I checked the DNS configuration for the PTR and Reverse 
> entries. It looks OK as well.
> 
> I have used “net ads join 
> createupn=HTTP/server01.mydomain.c...@mydomain.corp -k” commands to Join 
> the Squid machine to Domain, and “net ads keytab create -k” to create a 
> keytab.
> 
> Also, used the command “net ads keytab add HTTP” to add the HTTP entry 
> to the keytab.
>
...
> 
> As I mentioned, that was working for months, then stopped.
> 

IME, this type of sudden delayed breakage usually occurs when there is 
some validity period associated with the credentials in the keytab (or 
domain controller which created it). There is a disclaimer in the wiki 
about the "net ads" under some conditions adding an expiry time.



Rebuilding the keytab with kinit and msktutil may fix it for you.


HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] The usage of extended SNMPD commands to monitor squid.

[Eliezer Croitoru]

Since the Squid-Cache project doesn't maintain the SNMP part of it as far as
I know I was thinking about:

Using extended SNMPD ie in /etc/snmp/snmpd.conf

 

extend squid_x_stats /bin/bash /usr/local/bin/squid_x_stats.sh

 

while the binary itself probably will be a single command/script that will
have symlinks to itself with a different name (like what busybox provides
binaries).

With a set of these commands it would be possible to monitor squid via the
linux SNMPD and the backend would be a script.

To overcome a DOS from the SNMP side I can build a layer of caching in
files.
It would not be like the current squid SNMP tree of-course but as long the
data is there it can be used in any system that supports it.

I have used nagios/cacti/others to create graphs based on this concept.

 

I am currently working on the PHP re-testing project and it seems that PHP
7.4 is not exploding it's memory and crashes compared to older versions.

I still need a more stressed system to test the scripts.

I have created the next scripts for now:

*   Fake helper
*   Session helper based on Redis
*   Session helper based on FS in /var/spool/squid/session_helper_fs

 

Eliezer

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email:   ngtech1...@gmail.com

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users