Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

Klaus Westkamp
Hi,

i'm uncertain, wether this mailing list is the correct one to ask, but i
have the disputable honor to make a squid running on a Windows Server
(if possible). Whilst squid.exe seems to run fine, i constantly run into
an unresponsive system, when i enable Kerberos authentication via
auth_param and the negotiate_kerberos_auth.exe helper.

For a while authentication works fine, but all at the sudden the system
hangs at 100% CPU usage. My Observation is that one of the
negotiate_kerberos_auth.exe processes has a constantly increasing number
of handles (Files and events). If i understand the Sysinternals handle
tool correctly, most handles are event corrolated.

The setting:

Windows 2012 R2 AD Controllers with Windows 2008R2 Domain Level. A
Windows Server 2016 running Squid 3.5 for Windows. The squid server is a
VM running on HyperV with 8 Gigs of RAM and 4 vCPUs. The AD Controllers
are HP Systems with 24 Cores and 64 GByte of RAM.

Any Suggestions, besides changing to Linux, as inn that case the
customer will favor to look for another proxy,(Sigh) that i might follow.


Best Regards,

Klaus Westkamp

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

Amos Jeffries
Administrator
On 15/12/20 4:03 am, Klaus Westkamp wrote:

> Hi,
>
> i'm uncertain, wether this mailing list is the correct one to ask, but i
> have the disputable honor to make a squid running on a Windows Server
> (if possible). Whilst squid.exe seems to run fine, i constantly run into
> an unresponsive system, when i enable Kerberos authentication via
> auth_param and the negotiate_kerberos_auth.exe helper.
>
> For a while authentication works fine, but all at the sudden the system
> hangs at 100% CPU usage. My Observation is that one of the
> negotiate_kerberos_auth.exe processes has a constantly increasing number
> of handles (Files and events). If i understand the Sysinternals handle
> tool correctly, most handles are event corrolated.
>
> The setting:
>
> Windows 2012 R2 AD Controllers with Windows 2008R2 Domain Level. A
> Windows Server 2016 running Squid 3.5 for Windows.

Is Squid the package built by Diladele or a custom build?

Which exact version number is it? (output of "squid -v" please)


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

Klaus Westkamp
Hi,

i digged a little further (but i'm no exert in WinDBG):

Attachimng to the process with the most handles (currently 323 shown by
Windows Process Manager, as newly started)

!handles gives me:

277 Handles (weired, shows less than process manager)
Type               Count
None               4
Event              199
Section            7
File               18
Directory          3
SymbolicLink       1
Mutant             9
Semaphore          5
Key                8
Token              2
Thread             5
IoCompletion       2
TpWorkerFactory    2
ALPC Port          5
WaitCompletionPacket    7

Asking for Handle Details:

0:003> !handle 5e8 f
Handle 5e8
   Type             Event
   Attributes       0
   GrantedAccess    0x1f0003:
          Delete,ReadControl,WriteDac,WriteOwner,Synch
          QueryState,ModifyState
   HandleCount      2
   PointerCount     32769
   Name             <none>
   Object Specific Information
     Event Type Auto Reset
     Event is Waiting

0:003> !handle 5e0 f
Handle 5e0
   Type             Event
   Attributes       0
   GrantedAccess    0x1f0003:
          Delete,ReadControl,WriteDac,WriteOwner,Synch
          QueryState,ModifyState
   HandleCount      2
   PointerCount     32769
   Name             <none>
   Object Specific Information
     Event Type Auto Reset
     Event is Waiting

0:003> !handle 374 f
Handle 374
   Type             Event
   Attributes       0
   GrantedAccess    0x1f0003:
          Delete,ReadControl,WriteDac,WriteOwner,Synch
          QueryState,ModifyState
   HandleCount      2
   PointerCount     32769
   Name             <none>
   Object Specific Information
     Event Type Auto Reset
     Event is Waiting

These events seem to increase, but only one process gets to the limit of
3x00 handles and then the other processes seem to hang ...


On 15/12/2020 12:18, Klaus Westkamp wrote:

> Hi,
>
>
> yes this is Dildale's last available package. Output of squid -v is as
> follows:
>
> squid -v
>
> Squid Cache: Version 3.5.28
> Service Name: squid
>
> This binary uses OpenSSL 1.0.2j  26 Sep 2016. For legal restrictions
> on distribution see https://www.openssl.org/source/license.html
>
> configure options:  '--bindir=/bin/squid' '--sbindir=/usr/sbin/squid'
> '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid'
> '--libexecdir=/usr/lib/squid'
> '--disable-strict-error-checking' '--with-logdir=/var/log/squid'
> '--with-swapdir=/var/cache/squid' '--with-pidfile=/var/run/squid.pid'
> '--enable-ssl'
> '--enable-delay-pools' '--enable-ssl-crtd' '--enable-icap-client'
> '--disable-eui' '--localstatedir=/var/run/squid'
> '--sharedstatedir=/var/run/squid'
> '--datarootdir=/usr/share/squid'
> '--enable-disk-io=AIO,Blocking,DiskThreads,IpcIo,Mmapped'
> '--enable-auth-basic=DB,LDAP,NCSA,POP3,RADIUS,SASL,SMB,fake,getpwnam'
> '--enable-auth-ntlm=fake' '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-external-acl-helpers=LDAP_group,SQL_session,eDirectory_userip,file_userip,kerberos_ldap_group,session,time_quota,unix_group,wbinfo_group'
>
> '--with-openssl' '--with-filedescriptors=65536'
> '--enable-removal-policies=lru,heap'
>
> The helper negotiate_kerberos_auth.exe doesn't produce a Version output.
>
>
> Best regards,
>
> Klaus Westkamp
>
>
> On 15/12/2020 09:10, Amos Jeffries wrote:
>> On 15/12/20 4:03 am, Klaus Westkamp wrote:
>>> Hi,
>>>
>>> i'm uncertain, wether this mailing list is the correct one to ask,
>>> but i have the disputable honor to make a squid running on a Windows
>>> Server (if possible). Whilst squid.exe seems to run fine, i
>>> constantly run into an unresponsive system, when i enable Kerberos
>>> authentication via auth_param and the negotiate_kerberos_auth.exe
>>> helper.
>>>
>>> For a while authentication works fine, but all at the sudden the
>>> system hangs at 100% CPU usage. My Observation is that one of the
>>> negotiate_kerberos_auth.exe processes has a constantly increasing
>>> number of handles (Files and events). If i understand the
>>> Sysinternals handle tool correctly, most handles are event corrolated.
>>>
>>> The setting:
>>>
>>> Windows 2012 R2 AD Controllers with Windows 2008R2 Domain Level. A
>>> Windows Server 2016 running Squid 3.5 for Windows.
>>
>> Is Squid the package built by Diladele or a custom build?
>>
>> Which exact version number is it? (output of "squid -v" please)
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

Markus Moeller
Hi Klaus,

   The negotiate_kerberos_auth helper is not intended to run on Windows.
How did you compile it ?

Markus



"Klaus Westkamp"  wrote in message
news:[hidden email]...

Hi,

i digged a little further (but i'm no exert in WinDBG):

Attachimng to the process with the most handles (currently 323 shown by
Windows Process Manager, as newly started)

!handles gives me:

277 Handles (weired, shows less than process manager)
Type               Count
None               4
Event              199
Section            7
File               18
Directory          3
SymbolicLink       1
Mutant             9
Semaphore          5
Key                8
Token              2
Thread             5
IoCompletion       2
TpWorkerFactory    2
ALPC Port          5
WaitCompletionPacket    7

Asking for Handle Details:

0:003> !handle 5e8 f
Handle 5e8
   Type             Event
   Attributes       0
   GrantedAccess    0x1f0003:
          Delete,ReadControl,WriteDac,WriteOwner,Synch
          QueryState,ModifyState
   HandleCount      2
   PointerCount     32769
   Name             <none>
   Object Specific Information
     Event Type Auto Reset
     Event is Waiting

0:003> !handle 5e0 f
Handle 5e0
   Type             Event
   Attributes       0
   GrantedAccess    0x1f0003:
          Delete,ReadControl,WriteDac,WriteOwner,Synch
          QueryState,ModifyState
   HandleCount      2
   PointerCount     32769
   Name             <none>
   Object Specific Information
     Event Type Auto Reset
     Event is Waiting

0:003> !handle 374 f
Handle 374
   Type             Event
   Attributes       0
   GrantedAccess    0x1f0003:
          Delete,ReadControl,WriteDac,WriteOwner,Synch
          QueryState,ModifyState
   HandleCount      2
   PointerCount     32769
   Name             <none>
   Object Specific Information
     Event Type Auto Reset
     Event is Waiting

These events seem to increase, but only one process gets to the limit of
3x00 handles and then the other processes seem to hang ...


On 15/12/2020 12:18, Klaus Westkamp wrote:

> Hi,
>
>
> yes this is Dildale's last available package. Output of squid -v is as
> follows:
>
> squid -v
>
> Squid Cache: Version 3.5.28
> Service Name: squid
>
> This binary uses OpenSSL 1.0.2j  26 Sep 2016. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
>
> configure options:  '--bindir=/bin/squid' '--sbindir=/usr/sbin/squid'
> '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid'
> '--libexecdir=/usr/lib/squid'
> '--disable-strict-error-checking' '--with-logdir=/var/log/squid'
> '--with-swapdir=/var/cache/squid' '--with-pidfile=/var/run/squid.pid'
> '--enable-ssl'
> '--enable-delay-pools' '--enable-ssl-crtd' '--enable-icap-client'
> '--disable-eui' '--localstatedir=/var/run/squid'
> '--sharedstatedir=/var/run/squid'
> '--datarootdir=/usr/share/squid'
> '--enable-disk-io=AIO,Blocking,DiskThreads,IpcIo,Mmapped'
> '--enable-auth-basic=DB,LDAP,NCSA,POP3,RADIUS,SASL,SMB,fake,getpwnam'
> '--enable-auth-ntlm=fake' '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-external-acl-helpers=LDAP_group,SQL_session,eDirectory_userip,file_userip,kerberos_ldap_group,session,time_quota,unix_group,wbinfo_group'
> '--with-openssl' '--with-filedescriptors=65536'
> '--enable-removal-policies=lru,heap'
>
> The helper negotiate_kerberos_auth.exe doesn't produce a Version output.
>
>
> Best regards,
>
> Klaus Westkamp
>
>
> On 15/12/2020 09:10, Amos Jeffries wrote:
>> On 15/12/20 4:03 am, Klaus Westkamp wrote:
>>> Hi,
>>>
>>> i'm uncertain, wether this mailing list is the correct one to ask, but i
>>> have the disputable honor to make a squid running on a Windows Server
>>> (if possible). Whilst squid.exe seems to run fine, i constantly run into
>>> an unresponsive system, when i enable Kerberos authentication via
>>> auth_param and the negotiate_kerberos_auth.exe helper.
>>>
>>> For a while authentication works fine, but all at the sudden the system
>>> hangs at 100% CPU usage. My Observation is that one of the
>>> negotiate_kerberos_auth.exe processes has a constantly increasing number
>>> of handles (Files and events). If i understand the Sysinternals handle
>>> tool correctly, most handles are event corrolated.
>>>
>>> The setting:
>>>
>>> Windows 2012 R2 AD Controllers with Windows 2008R2 Domain Level. A
>>> Windows Server 2016 running Squid 3.5 for Windows.
>>
>> Is Squid the package built by Diladele or a custom build?
>>
>> Which exact version number is it? (output of "squid -v" please)
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users