[squid-users] Squid restarting continuously the authenticator processes

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 29 11:01:41 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 29/10/2014 11:09 p.m., Claudio ML wrote:
> Hello all,
> 
> I have a strange problem with a SQUID proxy with the NTLM

The word is "Squid", it is a name not an acronym.

> authentication. It randomly restarts the authenticator processes 
> (restart maybe not the right term), as follows:
> 

Randomly? no, when an authenticator dies/aborts Squid starts a
replacement one.

Question is why they are dying.

Perhapse you could start by indicating what version of Squid you are
using ?


<snip>
> 2014-10-29T10:45:02.649164+01:00 yel1swa208 squid[29306]: Starting
> new ntlmauthenticator helpers... 2014-10-29T10:45:02.650165+01:00
> yel1swa208 squid[29306]: helperOpenServers: Starting 1/800
> 'ntlm_auth' processes
> 
> Not sure if is a result of this, but after 10-20 mins the
> authentication process with ntlm slows down terribly (tested with
> wbinfo -t), and the users have some serious problem with the
> navigation.
> 
> Follows the relevant part of squid.conf:
> 
> # Ntlm Auth auth_param ntlm program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --debuglevel=0 auth_param ntlm
> children 800 #auth param ntlm keep_alive off

That is the Samba helper, so any bugs inside it are Samba problems.

Squid for NTLM is just a "dumb relay" passing the HTTP request header
tokens to the helper(s) and relaying their responses back to the
client in HTTP reply headers.

There might still be bugs in the relaying logic though. But to me it
sounds like the helpers having issues.


> authenticate_ttl 3 hour authenticate_ip_ttl 3 hour
> 
> # Base Auth auth_param basic program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic auth_param basic children 200 
> auth_param basic realm Squid proxy-caching web server auth_param
> basic credentialsttl 2 hours
> 
> And the relevant part of smb.conf:
> 
> allow trusted domains = Yes winbind nested groups = Yes wins server
> = x.x.x.x winbind uid = 40000-90000000000000 winbind gid =
> 4000-100000000000000 winbind use default domain = yes winbind enum
> users = yes winbind enum groups = yes winbind cache time = 1000 
> winbind max clients = 600


There is a big hint.

 max clients 600 vs. 800 configured Squid helpers ...

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUUMkVAAoJELJo5wb/XPRjsr8IAMRJ0xW3clhmqgGIOgwta4kD
YNE2BFdogelhmi/vVAH+wnNPRAo5tISiXgc5y3E5kvc60ibBIjJTJYsLHF2U88bn
pYhEX4Aw1pqZstVQzfFt4lNR1NQXAnzOtChQtphUGMEiywU6mVqS3KWiemp0fIwh
vSQCz6HCBgVBDN5K6wPDy1fyx2e+jzx0m9QL9Y6NxjdwEVD4nG/pHkh+HX0bQDzB
dRiaoavyZTB6SmSs1saCcd2p1LnKJ90Wgp7iv/Uuy0DNdhqzMe9DpVRIvitFMUTg
RLkcxMk6ORNKAjHH4rXya9Ct0XBjGCLXjxO9tBiS24uX819c5qyMtCjwBuLawX4=
=EqI3
-----END PGP SIGNATURE-----

More information about the squid-users mailing list