Folks,
I am running 4 proxy servers with squid 3.1.19 (yes, I know it is old,
will update soon) with kerberos authentication behind a F5 load balancer
for a user community of about 2000 people using Windows/I.E.. Normally,
this all works fine, people can surf the web and authentication happens
in background as it should.
The issue we are seeing is around once per month at random one of the
kerberos authenticators seems to start spamming the life out of the
windows AD servers. The event we ID we are seeing on the windows
servers is 0xc000006a which translates to, basically, bad password. We
seem to get this when a user (not always the same one) changes their
password. Clearly, it does not happen every time, we have a password
expiry policy in AD so every is forced to change their password
regularly so we would be seeing the problem a lot more frequently if it
happened every time a user changed their password. It seems to me that
there is some sort of race condition going on where, perhaps, the
authenticators are doing something while the password is being changed,
the authenticators keep using the old details. When this happens the
authenticator seems to spin making requests at a very rapid rate, my
windows admins tell me there are milliseconds between requests and it
fills their logs, also the users account gets locked out due to too many
bad passwords.
There is nothing in the logs indicating anything is wrong. Is this
fixed in a later version? If not, any ideeas on how to troubleshoot?
-- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."Received on Thu Feb 21 2013 - 06:20:22 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 22 2013 - 12:00:04 MST