OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: nan on February 02, 2018, 07:21:20 am

Title: Problem with User and Group ACL, SQUID crashes - need HELP!!!
Post by: nan on February 02, 2018, 07:21:20 am
Hello!
Sorry for my English.
Main task:
1. To restrict domain users to login access groups
2. Transparent user authentication through LDAP (which would not have needed to enter each time login and password).
If you implement tasks using RADIUS authorization users are – it works, but each entry requires authorization to complain about users is very inconvenient. In the manuals and not found the setting OpnSense to authorize AD users via RADIUS.

The ability to limit user access to the Internet through user groups. Tried to set User and Group ACL – it installs but when you add any domain group SQUID falls and does not rise. In the logs there are errors, I checked the files, so here is one in the path is missing:
: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: - he's just not at all.
I understand that in manual it will not write, it must be generated by the machine, probably not working Helper for Kerberos.

The part of the log after restarting SQUID:

2018/02/02 09:03:26|   pinger: ICMPv6 socket opened
2018/02/02 09:03:26|   pinger: ICMP socket opened.
2018/02/02 09:03:26|   pinger: Initialising ICMP pinger ...
2018/02/02 09:03:26   kid1| Closing Pinger socket on FD 33
Page faults   with physical i/o: 0
Maximum Resident   Size: 350096 KB
CPU Usage:   0.091 seconds = 0.058 user + 0.033 sys
Squid Cache   (Version 3.5.27): Terminated abnormally.
FATAL: The   ext_group_ldap_0 helpers are crashing too rapidly, need help!
2018/02/02 09:03:26   kid1| Took 0.00 seconds (10503521.13 entries/sec).
2018/02/02 09:03:26   kid1| Finished. Wrote 2983 entries.
2018/02/02 09:03:26   kid1| storeDirWriteCleanLogs: Starting...
2018/02/02 09:03:26   kid1| Stop sending ICP from [::]:3130
2018/02/02 09:03:26   kid1| Stop receiving ICP on [::]:3130
2018/02/02 09:03:26   kid1| Closing FTP port 192.168.30.50:2121
2018/02/02 09:03:26   kid1| Closing HTTP port 192.168.30.50:3128
2018/02/02 09:03:26   kid1| Closing HTTP port [::1]:3128
2018/02/02 09:03:26   kid1| Closing HTTP port 127.0.0.1:3128
2018/02/02 09:03:26   kid1| Too few ext_group_ldap_0 processes are running (need 1/5)
2018/02/02 09:03:26   kid1| WARNING: ext_group_ldap_0 #Hlpr1 exited
2018/02/02 09:03:26   kid1| store_swap_size = 92060.00 KB
2018/02/02 09:03:26   kid1| Validated 2983 Entries
2018/02/02 09:03:26   kid1| Completed Validation Procedure
2018/02/02 09:03:26   kid1| Beginning Validation Procedure
2018/02/02 09:03:26   kid1| Took 0.01 seconds (229939.10 objects/sec).
2018/02/02 09:03:26   kid1| 0 Swapfile clashes avoided.
2018/02/02 09:03:26   kid1| 0 Duplicate URLs purged.
2018/02/02 09:03:26   kid1| 0 Objects cancelled.
2018/02/02 09:03:26   kid1| 0 Objects expired.
2018/02/02 09:03:26   kid1| 2983 Objects loaded.
2018/02/02 09:03:26   kid1| 0 With invalid flags.
2018/02/02 09:03:26   kid1| 0 Invalid entries.
2018/02/02 09:03:26   kid1| 2983 Entries scanned
2018/02/02 09:03:26   kid1| Finished rebuilding storage from disk.
2018/02/02 09:03:26   kid1| Done reading /var/squid/cache swaplog (2983 entries)
2018/02/02 09:03:26   kid1| Sending ICP messages from [::]:3130
2018/02/02 09:03:26   kid1| Accepting ICP messages on [::]:3130
2018/02/02 09:03:26   kid1| Accepting reverse-proxy FTP Socket connections at local=192.168.30.50:2121 remote=[::] FD 30 flags=9
2018/02/02 09:03:26   kid1| Accepting HTTP Socket connections at local=192.168.30.50:3128 remote=[::] FD 29 flags=9
2018/02/02 09:03:26   kid1| Accepting NAT intercepted HTTP Socket connections at local=[::1]:3128 remote=[::] FD 28 flags=41
2018/02/02 09:03:26   kid1| Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 27 flags=41
2018/02/02 09:03:26   kid1| Adaptation support is off.
2018/02/02 09:03:26   kid1| Squid plugin modules loaded: 0
2018/02/02 09:03:26   kid1| Pinger socket opened on FD 33
2018/02/02 09:03:26   kid1| HTCP Disabled.
2018/02/02 09:03:26   kid1| Finished loading MIME types and icons.
2018/02/02 09:03:26   kid1| Set Current Directory to /var/squid/cache
2018/02/02 09:03:26   kid1| Using Least Load store dir selection
2018/02/02 09:03:26   kid1| Rebuilding storage in /var/squid/cache (clean log)
2018/02/02 09:03:26   kid1| Max Swap size: 102400 KB
2018/02/02 09:03:26   kid1| Max Mem size: 262144 KB
2018/02/02 09:03:26   kid1| Using 8192 Store buckets
2018/02/02 09:03:26   kid1| Target number of buckets: 1402
2018/02/02 09:03:26   kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2018/02/02 09:03:26   kid1| Logfile: opening log stdio:/var/log/squid/store.log
2018/02/02 09:03:26   kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2018/02/02 09:03:26   kid1| Unlinkd pipe opened on FD 23
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| ipcCreate: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl: (2) No such file or directory
2018/02/02 09:03:26   kid1| Logfile: opening log stdio:/var/log/squid/access.log
2018/02/02 09:03:26   kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes
2018/02/02 09:03:26   kid1| helperOpenServers: No 'auth-user.php' processes needed.
2018/02/02 09:03:26   kid1| helperOpenServers: Starting 0/5 'auth-user.php' processes
2018/02/02 09:03:26   kid1| Adding nameserver 192.168.30.4 from /etc/resolv.conf
2018/02/02 09:03:26   kid1| Adding domain ght.su from /etc/resolv.conf
2018/02/02 09:03:26   kid1| DNS Socket created at 0.0.0.0, FD 8
2018/02/02 09:03:26   kid1| DNS Socket created at [::], FD 6
2018/02/02 09:03:26   kid1| Initializing IP Cache...
2018/02/02 09:03:26   kid1| With 467892 file descriptors available
2018/02/02 09:03:26   kid1| Process Roles: worker
2018/02/02 09:03:26   kid1| Process ID 20864
2018/02/02 09:03:26   kid1| Service Name: squid
2018/02/02 09:03:26   kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.1...
2018/02/02 09:03:26   kid1| Set Current Directory to /var/squid/cache

Title: Re: Problem with User and Group ACL, SQUID crashes - need HELP!!!
Post by: bartjsmit on February 02, 2018, 08:26:31 am
This is the difference between synchronised credentials and single sign-on.

You need a proxy to be joined to AD for it to accept the Kerberos tickets that your users get when they login to the domain.

OPNsense may not be able to be that proxy, but you can run a different type of proxy on a DMZ. Kerberos support is common in many commercial offerings.

Bart...
Title: Re: Problem with User and Group ACL, SQUID crashes - need HELP!!!
Post by: franco on February 02, 2018, 08:32:58 am
Hi,

You haven't stated that you use the os-web-proxy-useracl plugin but I'm assuming that's the case.

In that case please open a bug report here:

https://github.com/opnsense/plugins/issues


Cheers,
Franco