Negotiate Authenticator and DNS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Negotiate Authenticator and DNS

erdosain9
Hi.
Im traying to improve the dns response because im having this times:

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 32 (0 shutting down)
requests sent: 72241
replies received: 72241
queue length: 0
avg service time: 56 msec

   ID #     FD    PID # Requests  # Replies Flags   Time Offset
Request
     16     30  22242      38896      38896      0.368      0 (none)
     17     32  22243      13404      13404      0.388      0 (none)
     18     38  22244       6962       6962      0.126      0 (none)
     19     61  22245       3895       3895      0.344      0 (none)
     20     65  22246       2636       2636      0.369      0 (none)
     21     74  22247       1879       1879      0.124      0 (none)
     22     76  22248       1177       1177      0.340      0 (none)
     23     78  22249        809        809      0.307      0 (none)
     24     79  22250        592        592      0.364      0 (none)
     25     81  22251        436        436      0.265      0 (none)
     26     94  22252        320        320      0.244      0 (none)
     27     96  22253        243        243      0.243      0 (none)
     28     98  22254        184        184      0.299      0 (none)
     29    109  22255        142        142      0.285      0 (none)
     30    111  22256        112        112      0.308      0 (none)
     31    113  22257         85         85      0.308      0 (none)
     45    473  22285         69         69      0.789      0 (none)
     46    475  22286         60         60      0.756      0 (none)
     47    480  22287         52         52      1.504      0 (none)
     48    495  22288         48         48      1.611      0 (none)
     49    499  22289         44         44      1.611      0 (none)
     50    580  22291         36         36      1.598      0 (none)
     51    596  22292         31         31      1.099      0 (none)
     52    593  22293         26         26      0.916      0 (none)
     53    547  22308         20         20      0.916      0 (none)
     54    550  22309         18         18      0.602      0 (none)
     55    551  22310         14         14      0.397      0 (none)
     56    553  22311         12         12      0.567      0 (none)
     57    552  22312         12         12      0.567      0 (none)
     58    397  22313         11         11      0.567      0 (none)
     59    407  22314         10         10      0.584      0 (none)
     67    436  22355          6          6      1.035      0 (none)

Sometimes much more time, sometimes go to avg service time: 560 msec...

Sorry for my ignorance...
This Negotiate Authenticator is for users??? i mean this is related to, for
example, go to google.com, or is just the time that the user (client pc)
wait for be authenticate??

I think, that is related to go to a web (now i have my doubts). so i make a
dns with bind. and put that dns in squid config, and let the dns from the AD
in second place... but, when i restart this happend:

support_resolv.cc(289): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving service record _ldap._tcp.DOMAIN.LAN with r
es_search
support_resolv.cc(71): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldap._tcp.DOMAIN.LAN
support_resolv.cc(183): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving hostname with getaddrinfo: Name or service
not known
support_sasl.cc(276): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server


So, this post is for two question.
1- The thing about Negotiate Authenticator (that value what represent?)
2- Can i improve making my own dns (apart from the the dns from the domain)?
(i prefer make other dns, than fix the dns from the domain, because i dont
manage that).

Thanks to all, and sorry for the ignorance, and my bad writing (i dont speak
english)



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

Eliezer Croitoru
Hey,

How about using a local bind\unbound DNS server that has a forwarding zone defined only for the local domains?
For me it's a bit hard to understand the root cause for the issue but this is the best solution I can think about.
If you need some help about with bind\unbound DNS configurations just send me an email and I will try to help you with that.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of erdosain9
Sent: Friday, September 22, 2017 17:37
To: [hidden email]
Subject: [squid-users] Negotiate Authenticator and DNS

Hi.
Im traying to improve the dns response because im having this times:

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 32 (0 shutting down)
requests sent: 72241
replies received: 72241
queue length: 0
avg service time: 56 msec

   ID #     FD    PID # Requests  # Replies Flags   Time Offset
Request
     16     30  22242      38896      38896      0.368      0 (none)
     17     32  22243      13404      13404      0.388      0 (none)
     18     38  22244       6962       6962      0.126      0 (none)
     19     61  22245       3895       3895      0.344      0 (none)
     20     65  22246       2636       2636      0.369      0 (none)
     21     74  22247       1879       1879      0.124      0 (none)
     22     76  22248       1177       1177      0.340      0 (none)
     23     78  22249        809        809      0.307      0 (none)
     24     79  22250        592        592      0.364      0 (none)
     25     81  22251        436        436      0.265      0 (none)
     26     94  22252        320        320      0.244      0 (none)
     27     96  22253        243        243      0.243      0 (none)
     28     98  22254        184        184      0.299      0 (none)
     29    109  22255        142        142      0.285      0 (none)
     30    111  22256        112        112      0.308      0 (none)
     31    113  22257         85         85      0.308      0 (none)
     45    473  22285         69         69      0.789      0 (none)
     46    475  22286         60         60      0.756      0 (none)
     47    480  22287         52         52      1.504      0 (none)
     48    495  22288         48         48      1.611      0 (none)
     49    499  22289         44         44      1.611      0 (none)
     50    580  22291         36         36      1.598      0 (none)
     51    596  22292         31         31      1.099      0 (none)
     52    593  22293         26         26      0.916      0 (none)
     53    547  22308         20         20      0.916      0 (none)
     54    550  22309         18         18      0.602      0 (none)
     55    551  22310         14         14      0.397      0 (none)
     56    553  22311         12         12      0.567      0 (none)
     57    552  22312         12         12      0.567      0 (none)
     58    397  22313         11         11      0.567      0 (none)
     59    407  22314         10         10      0.584      0 (none)
     67    436  22355          6          6      1.035      0 (none)

Sometimes much more time, sometimes go to avg service time: 560 msec...

Sorry for my ignorance...
This Negotiate Authenticator is for users??? i mean this is related to, for
example, go to google.com, or is just the time that the user (client pc)
wait for be authenticate??

I think, that is related to go to a web (now i have my doubts). so i make a
dns with bind. and put that dns in squid config, and let the dns from the AD
in second place... but, when i restart this happend:

support_resolv.cc(289): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving service record _ldap._tcp.DOMAIN.LAN with r
es_search
support_resolv.cc(71): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldap._tcp.DOMAIN.LAN
support_resolv.cc(183): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while resolving hostname with getaddrinfo: Name or service
not known
support_sasl.cc(276): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server


So, this post is for two question.
1- The thing about Negotiate Authenticator (that value what represent?)
2- Can i improve making my own dns (apart from the the dns from the domain)?
(i prefer make other dns, than fix the dns from the domain, because i dont
manage that).

Thanks to all, and sorry for the ignorance, and my bad writing (i dont speak
english)



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

Amos Jeffries
Administrator
On 26/09/17 17:59, Eliezer Croitoru wrote:
> Hey,
>
> How about using a local bind\unbound DNS server that has a forwarding zone defined only for the local domains?
> For me it's a bit hard to understand the root cause for the issue but this is the best solution I can think about.
> If you need some help about with bind\unbound DNS configurations just send me an email and I will try to help you with that.


> -----Original Message-----
> From: erdosain9
>
> Hi.
> Im traying to improve the dns response because im having this times:
>
> Negotiate Authenticator Statistics:
> program: /lib64/squid/negotiate_kerberos_auth

Notice the name of the program above.

>
> Sometimes much more time, sometimes go to avg service time: 560 msec...
>

Thats not good, DNS should be much faster. But not related to the errors
below.


> Sorry for my ignorance...
> This Negotiate Authenticator is for users??? i mean this is related to, for
> example, go to google.com, or is just the time that the user (client pc)
> wait for be authenticate??

The report you quoted was for Negotiate authentication helpers. Only.
The times there relate to how long it takes to login.


>
> I think, that is related to go to a web (now i have my doubts). so i make a
> dns with bind. and put that dns in squid config, and let the dns from the AD
> in second place... but, when i restart this happend:
>
> support_resolv.cc(289): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:

Notice the name (above) of the program reporting these errors.


> ERROR: Error while resolving service record _ldap._tcp.DOMAIN.LAN with r
> es_search
> support_resolv.cc(71): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: res_search: Unknown service record: _ldap._tcp.DOMAIN.LAN
> support_resolv.cc(183): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: Error while resolving hostname with getaddrinfo: Name or service
> not known
> support_sasl.cc(276): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
> support_ldap.cc(957): pid=24587 :2017/09/22 11:16:35| kerberos_ldap_group:
> ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
> LDAP server
>
>
> So, this post is for two question.
> 1- The thing about Negotiate Authenticator (that value what represent?)
> 2- Can i improve making my own dns (apart from the the dns from the domain)?
> (i prefer make other dns, than fix the dns from the domain, because i dont
> manage that).

These errors are missing records and servers not running (or not
existing?). Different DNS server would only help with lag.

>
> Thanks to all, and sorry for the ignorance, and my bad writing (i dont speak
> english)
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

erdosain9
In reply to this post by Eliezer Croitoru
Hi.
Thanks.
But there is some Time to live, for config in the squid, so the service is
not asking every time for authenticate??
Thanks!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

Amos Jeffries
Administrator
On 27/09/17 01:57, erdosain9 wrote:
> Hi.
> Thanks.
> But there is some Time to live, for config in the squid, so the service is
> not asking every time for authenticate??

For Negotiate and NTLM the credentials are supposed to be unique per
connection, so each TCP connection requires separate lookup. But
followup pipelined requests on a connection should not need auth helper
lookups as they share the already authenticated credentials.

*group* lookups are different (and cached normally), but they are not
authentication.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

erdosain9
but, why so slow then???

"
For Negotiate and NTLM the credentials are supposed to be unique per
connection, so each TCP connection requires separate lookup. But
followup pipelined requests on a connection should not need auth helper
lookups as they share the already authenticated credentials.

*group* lookups are different (and cached normally), but they are not
authentication.

"

thanks



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

Amos Jeffries
Administrator
On 27/09/17 02:59, erdosain9 wrote:
> but, why so slow then???
>

What is so slow *exactly*?

The report you posted only tells about the initial lookups. Not the
cached or pipelined results.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate Authenticator and DNS

erdosain9
In reply to this post by Amos Jeffries
Sorry, this is part of my config

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/[hidden email]
auth_param negotiate children 45 startup=0 idle=1
auth_param negotiate keep_alive on


external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g [hidden email]
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]


#GRUPOS
acl i-full external i-full
acl i-limitado external i-limitado




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users