<HTML><BODY><br><br><br><br><br> >>>>> Hello, i have a problem here :) System - freebsd 10.1, squid 3.5.5 + kerberos (MIT), 50 users total.<br> >>>>><br> >>>>> Without any auth my squid works fine, system is not loaded. When i enable Kerberos auth internet slowly goes down and crushing after a while, at logs i see:<br> >>>>><br> >>>>> 2015/07/09 11:47:14 kid1| WARNING: All 60/60 negotiateauthenticator processes are busy.<br> >>>>> 2015/07/09 11:47:14 kid1| WARNING: 72 pending requests queued<br> >>>>><br> >>>><br> >>>> So 50 users / 60 helpers ... how many requests per second? and how<br> >>>> fast/slow is the helper responding?<br> >> Could you clarify how I can get value of requests per second and respond?<br> ><br> >The cachemgr "info" report. From the cachemgr.cgi tool, or "squidclient<br> >mgr:info" command line, or<br> >http://$visible_hostname:3128/squid-internal-mgr/info<br> ><br> > Or calculated from a quick count of the access.log lines over a few mins.<br><br> ~600 lines per minute,<br><br><br><br> >> Debugs show like 3-4 message per second like:<br> >><br> >> negotiate_kerberos_pac.cc(376): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: INFO: Got PAC data of lengh 624<br> >> negotiate_kerberos_pac.cc(180): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: INFO: Found 5 rids<br> >> negotiate_kerberos_pac.cc(188): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: Info: Got rid: 513<br> >> negotiate_kerberos_pac.cc(188): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: Info: Got rid: 3692<br> >> negotiate_kerberos_pac.cc(188): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: Info: Got rid: 4268<br> >> negotiate_kerberos_pac.cc(188): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: Info: Got rid: 4622<br> >> negotiate_kerberos_pac.cc(188): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: Info: Got rid: 4623<br> >> negotiate_kerberos_pac.cc(256): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1708537768-1580818891-2146958067<br> >> negotiate_kerberos_pac.cc(278): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs<br> >> negotiate_kerberos_pac.cc(327): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1708537768-1580818891-2146958067-4107<br> >> negotiate_kerberos_pac.cc(456): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: INFO: Read 620 of 624 bytes<br> >> negotiate_kerberos_auth.cc(778): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAqDfWZcthOV7z+vd/AQIAAA== group=AQUAAAAAAAUVAAAAqDfWZcthOV7z+vd/bA4AAA== group=AQUAAAAAAAUVAAAAqDfWZcthOV7z+vd/rBAAAA== group=AQUAAAAAAAUVAAAAqDfWZcthOV7z+vd/DhIAAA== group=AQUAAAAAAAUVAAAAqDfWZcthOV7z+vd/DxIAAA== group=AQUAAAAAAAUVAAAAqDfWZcthOV7z+vd/CxAAAA==<br> >> negotiate_kerberos_auth.cc(783): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: DEBUG: AF oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqY4fSYtg+X4HhiH8dFmWxdn3wxtoKKZzEfUjLYibMoy0XAAWgkSYVXgC7gxO7cgCkOofEqZQhi/GKa4NZqn2dQqOJU/3y4zkPqBP9Ialh//BL5ov03L5BqjgthrbYbrcxJTo57EJIdO8O1g== avialex<br> >><br> >> And errors like:<br> >> 2015/07/09 13:28:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}<br> >> All my friends get the same error, but their squid is working fine.<br> >><br> >> Don't see anything else<br> >><br> ><br> >Aha. So your users browsers are sending NTLM auth instead of Kerberos.<br> >That is at least one part of the problem. NTLM handshake can take whole<br> >seconds and places a lot of extra load on the helpers. To resolve these<br> >the users software needs fixing to use Kerberos properly when Negotiate<br><br> >is offered.<br> ><br> >The other part is figuring out what amount of helpers is needed to meet<br> >the load requirements. With NTLM it is usually several hundred.<br> ><br><br><br>When i'm using proxy alone, squid stars 33 childrens, don't recive any NTLM errors, but internet start to lag. So the problem not in the NTLM software. I tryed to start 300 children for my 60 users, but still have huge lags, even when half was free.<br></BODY></HTML>