Package: squid Version: 4.6-1 Severity: important Dear Maintainer,
We maintain a pair of Squid proxies running on Debian, in a failover setup using ucarp. These proxies are configured to use the negotiate wrapper for proxy authentication, using Kerberos with a failover to NTLM. We upgraded the secondary from Stretch to Buster and tested functionality - everything seemed to work, but unfortunately we did not stress test it enough as we only used a small group of IT staff to test functionality. After upgrading the primary, users started seeing authentication popups, and Internet access through the proxy slowed to a crawl. Initial investigation showed that there was a lack of file descriptors. After resolving that issue, the problem with the proxies remained. Searching the cache log showed numerous “Too few negotiateauthenticator processes are running” events in the log. It appears that when the proxy is under load - between 80 and 100 requests per second at our site - the negotiate wrapper crashes, sometimes as rapidly as every 15 seconds. Doing a quick Google, I found this: https://github.com/diladele/websafety-issues/issues/1141 Which refers to this: https://bugs.squid-cache.org/show_bug.cgi?id=4936 The second link refers to Squid bug 4936. Based on the dates of the Squid bug report, I guessed that 4936 is present in Buster's version of Squid. After a brief discussion on the squid users mailing list ( http://squid-web-proxy-cache.1019090.n4.nabble.com/Debian-Buster-Squid-4-6-1-amd64-quot-Too-few-negotiateauthenticator-processes-are-running-quot-td4687976.html ) it appears that it is. Right now we are working around the issue with an http_access allow all directive that pre-empts our authentication. However, without authentication we also lose the ability to track individual user activity on the Internet. This is an important organizational goal. Also based on the dates of the Squid bug fix and the information from the Debian package tracker, I believe that 4.6-2 in Sid would be affected as well. Thank you! James -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages squid depends on: ii adduser 3.118 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libcom-err2 1.44.5-1 ii libdb5.3 5.3.28+dfsg1-0.5 ii libdbi-perl 1.642-1+b1 ii libecap3 1.0.1-3.2 ii libexpat1 2.2.6-2 ii libgcc1 1:8.3.0-6 ii libgnutls30 3.6.7-4 ii libgssapi-krb5-2 1.17-3 ii libkrb5-3 1.17-3 ii libldap-2.4-2 2.4.47+dfsg-3 ii libltdl7 2.4.6-9 ii libnetfilter-conntrack3 1.0.7-1 ii libnettle6 3.4.1-1 ii libpam0g 1.3.1-5 ii libsasl2-2 2.1.27+dfsg-1 ii libstdc++6 8.3.0-6 ii libxml2 2.9.4+dfsg1-7+b3 ii logrotate 3.14.0-4 ii lsb-base 10.2019051400 ii netbase 5.6 ii squid-common 4.6-1 Versions of packages squid recommends: ii ca-certificates 20190110 ii libcap2-bin 1:2.25-2 Versions of packages squid suggests: pn resolvconf <none> ii smbclient 2:4.9.5+dfsg-5 ii squid-cgi 4.6-1 pn squid-purge <none> ii squidclient 4.6-1 pn ufw <none> ii winbind 2:4.9.5+dfsg-5 -- Configuration Files: /etc/init.d/squid changed: NAME=squid DESC="Squid HTTP Proxy" DAEMON=/usr/sbin/squid PIDFILE=/var/run/$NAME.pid CONFIG=/etc/squid/squid.conf SQUID_ARGS="-YC -f $CONFIG" [ ! -f /etc/default/squid ] || . /etc/default/squid . /lib/lsb/init-functions PATH=/bin:/usr/bin:/sbin:/usr/sbin [ -x $DAEMON ] || exit 0 ulimit -n 65535 find_cache_dir () { w=" " # space tab res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep "Processing:" | sed s/.*Processing:\ // | sed -ne ' s/^['"$w"']*'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; t end; d; :end q'` [ -n "$res" ] || res=$2 echo "$res" } grepconf () { w=" " # space tab res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep "Processing:" | sed s/.*Processing:\ // | sed -ne ' s/^['"$w"']*'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; t end; d; :end q'` [ -n "$res" ] || res=$2 echo "$res" } create_run_dir () { run_dir=/var/run/squid usr=`grepconf cache_effective_user proxy` grp=`grepconf cache_effective_group proxy` if [ "$(dpkg-statoverride --list $run_dir)" = "" ] && [ ! -e $run_dir ] ; then mkdir -p $run_dir chown $usr:$grp $run_dir [ -x /sbin/restorecon ] && restorecon $run_dir fi } start () { cache_dir=`find_cache_dir cache_dir` cache_type=`grepconf cache_dir` run_dir=/var/run/squid KRB5_KTNAME=/etc/squid/proxy-keytab export KRB5_KTNAME KRB5RCACHETYPE=none export KRB5RCACHETYPE kinit -k -t /etc/squid/proxy-keytab HTTP/proxy.cbj.local@CBJ.LOCAL # # Create run dir (needed for several workers on SMP) # create_run_dir # # Create spool dirs if they don't exist. # if test -d "$cache_dir" -a ! -d "$cache_dir/00" then log_warning_msg "Creating $DESC cache structure" $DAEMON -z -f $CONFIG [ -x /sbin/restorecon ] && restorecon -R $cache_dir fi umask 027 ulimit -n 65535 cd $run_dir start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --exec $DAEMON -- $SQUID_ARGS < /dev/null return $? } stop () { PID=`cat $PIDFILE 2>/dev/null` start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON # # Now we have to wait until squid has _really_ stopped. # sleep 2 if test -n "$PID" && kill -0 $PID 2>/dev/null then log_action_begin_msg " Waiting" cnt=0 while kill -0 $PID 2>/dev/null do cnt=`expr $cnt + 1` if [ $cnt -gt 24 ] then log_action_end_msg 1 return 1 fi sleep 5 log_action_cont_msg "" done log_action_end_msg 0 return 0 else return 0 fi } cfg_pidfile=`grepconf pid_filename` if test "${cfg_pidfile:-none}" != "none" -a "$cfg_pidfile" != "$PIDFILE" then log_warning_msg "squid.conf pid_filename overrides init script" PIDFILE="$cfg_pidfile" fi case "$1" in start) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_daemon_msg "Starting $DESC" "$NAME" if start ; then log_end_msg $? else log_end_msg $? fi fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if stop ; then log_end_msg $? else log_end_msg $? fi ;; reload|force-reload) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_action_msg "Reloading $DESC configuration files" start-stop-daemon --stop --signal 1 \ --pidfile $PIDFILE --quiet --exec $DAEMON log_action_end_msg 0 fi ;; restart) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_daemon_msg "Restarting $DESC" "$NAME" stop if start ; then log_end_msg $? else log_end_msg $? fi fi ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3 ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}" exit 3 ;; esac exit 0 /etc/logrotate.d/squid changed: /var/log/squid/*.log { daily compress delaycompress rotate 7 missingok nocreate sharedscripts postrotate test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || /usr/sbin/squid -k rotate endscript } /etc/squid/squid.conf [Errno 13] Permission denied: '/etc/squid/squid.conf' -- no debconf information