[squid-users] Squid + kerberos, all childrens are busy

Дмитрий Рукавцов 2005now at mail.ru
Thu Jul 9 09:54:08 UTC 2015 

 Hello, i have a problem here :) System - freebsd 10.1, squid 3.5.5 + kerberos (MIT), 50 users total.

Without any auth my squid works fine, system is not loaded. When i enable Kerberos auth internet slowly goes down and crushing after a while, at logs i see:

2015/07/09 11:47:14 kid1| WARNING: All 60/60 negotiateauthenticator processes are busy. 
2015/07/09 11:47:14 kid1| WARNING: 72 pending requests queued

If i put 100 childrens at config it won't help too.

TTL are fine:

        auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/comp.domain.com at DOMAIN.COM
        auth_param negotiate children 60 startup=15 idle=1
        auth_param negotiate keep_alive on
        auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -R -D user at domain.com -w "pass" -b "DC=domain,DC=com" -f "sAMAccountName=%s" -h domain.com
        auth_param basic credentialsttl 8 hours
        auth_param basic children 10

       authenticate_ttl 8 hour

      external_acl_type nt_group ttl=1200 %LOGIN       /usr/local/libexec/squid/ext_ldap_group_acl -R -b "DC=domain,DC=com" -f "(&(sAMAccountName=%v)(memberOf=CN=%a,OU=squid,DC=domain,DC=com))" -D user at domain.com -w "pass" -h domain.com

KRB5.CONF

[libdefaults] 
        default_realm = DOMAIN.COM
        dns_lookup_realm = no 
        dns_lookup_kdc = no 
        ticket_lifetime = 24h 
        default_keytab_name = /usr/local/etc/squid/comp.domain.com.keytab 
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 

[realms] 
        DOMAIN.COM = { 
            kdc = kd1.domain.com
            kdc = kd2.domain.com
            admin_server = kd1.domain.com
            default_domain = domain.com
        } 

[domain_realm] 
        .domain.com  = DOMAIN.COM
        domain.com = DOMAIN.COM


Server shutting down in like 7 mins, i can't even restart squid(system endless trying to kill squid PID), can't even make kill -9, not working (but system load is very low)

Can you please help me to find out what is wrong? Is there any way to monitor what happens with negotiate_kerberos_auth  processes ?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150709/9863ae65/attachment-0001.html>

More information about the squid-users mailing list