Bug#932212: closed by Amos Jeffries (squid: negotiate wrapper crashes under load)

[James Zuelow]

Thanks Amos.

The 4.8-1 .debs for unstable do install on Buster (Buster is so new I don't 
think there are significant differences yet) but it just fails faster, with a 
new error message.  It looks like unstable Squid doesn't like Buster Winbind.  
I don't quite understand that permission denied error.

And since 4.8 will likely not ever be migrated to Buster, I think I'm looking 
for alternatives anyway.  (I'm loathe to keep my production proxies on 
unstable!)


2019/07/22 08:22:06 kid1| Starting new helpers
2019/07/22 08:22:06 kid1| helperOpenServers: Starting 1/150 
'negotiate_wrapper_auth' processes
2019/07/22 08:22:06| negotiate_wrapper: Starting version 1.0.1
2019/07/22 08:22:06| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=CBJ.LOCAL
2019/07/22 08:22:06| negotiate_wrapper: Kerberos command: 
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.cbj.local@CBJ.LOCAL
2019/07/22 08:22:06| negotiate_wrapper: Failed execv for /usr/bin/ntlm_auth: 
Permission denied
2019/07/22 08:22:06| negotiate_wrapper: Could not assign streams for 
FDKIN/FDKOUT/FDNIN/FDNOUT
*** stack smashing detected ***: <unknown> terminated
2019/07/22 08:22:06| negotiate_kerberos_auth: ERROR: krb5_kt_start_seq_get: 
Resource temporarily unavailable
2019/07/22 08:22:06| negotiate_kerberos_auth: ERROR: krb5_read_keytab: Resource 
temporarily unavailable
2019/07/22 08:22:06 kid1| WARNING: negotiateauthenticator #Hlpr170 exited
2019/07/22 08:22:06 kid1| Too few negotiateauthenticator processes are running 
(need 1/150)
2019/07/22 08:22:06 kid1| Starting new helpers
2019/07/22 08:22:06 kid1| helperOpenServers: Starting 1/150 
'negotiate_wrapper_auth' processes
2019/07/22 08:22:06 kid1| ipcCreate: /usr/bin/ntlm_auth: (13) Permission denied
2019/07/22 08:22:06| negotiate_wrapper: Starting version 1.0.1
2019/07/22 08:22:06| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=CBJ.LOCAL
2019/07/22 08:22:06| negotiate_wrapper: Kerberos command: 
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.cbj.local@CBJ.LOCAL
2019/07/22 08:22:06| negotiate_wrapper: Failed execv for /usr/bin/ntlm_auth: 
Permission denied
2019/07/22 08:22:06| negotiate_wrapper: Could not assign streams for 
FDKIN/FDKOUT/FDNIN/FDNOUT
*** stack smashing detected ***: <unknown> terminated
2019/07/22 08:22:06 kid1| WARNING: negotiateauthenticator #Hlpr171 exited
2019/07/22 08:22:06 kid1| Too few negotiateauthenticator processes are running 
(need 1/150)
2019/07/22 08:22:06 kid1| Starting new helpers

But the ntlm_auth seems to not have actual file system permission errors.  I 
can run it as an unprivileged user:

jfzuelow@mis-squid2-lnx:~$ ntlm_auth --username=james_zuelow --domain=cbj.local
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)

James