<HTML><BODY><br>>> >>>>> Hello, i have a problem here :) System - freebsd 10.1, squid 3.5.5 + kerberos (MIT), 50 users total.<br><blockquote style="border-left:1px solid #0857A6; margin:10px; padding:0 0 0 10px;"><div id=""><div class="js-helper js-readmsg-msg"><div><div id="style_14368138570000000826_BODY">
>> >>>>><br>
>> >>>>> Without any auth my squid works fine, system is not loaded. When i enable Kerberos auth internet slowly goes down and crushing after a while, at logs i see:<br>
> >>>>>><br>
> >>>>>> 2015/07/09 11:47:14 kid1| WARNING: All 60/60 negotiateauthenticator processes are busy.<br>
> >>>>>> 2015/07/09 11:47:14 kid1| WARNING: 72 pending requests queued<br>
>> >>>>>><br>
>> >>>><br>
>> >>>> So 50 users / 60 helpers ... how many requests per second? and how<br>
>> >>>> fast/slow is the helper responding?<br>
>> >> Could you clarify how I can get value of requests per second and respond?<br>
>> ><br>
>> >The cachemgr "info" report. From the cachemgr.cgi tool, or "squidclient<br>
>> >mgr:info" command line, or<br>
>> >http://$visible_hostname:3128/squid-internal-mgr/info<br>
>> ><br>
>> > Or calculated from a quick count of the access.log lines over a few mins.<br>
>> <br>
>> ~600 lines per minute,<br>
>> <br>
>> <br>
>> <br>
>> >> Debugs show like 3-4 message per second like:<br>
>> >><br>
>> >> negotiate_kerberos_auth.cc(783): pid=1456 :2015/07/09 13:26:48| negotiate_kerberos_auth: DEBUG: AF oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqY4fSYtg+X4HhiH8dFmWxdn3wxtoKKZzEfUjLYibMoy0XAAWgkSYVXgC7gxO7cgCkOofEqZQhi/GKa4NZqn2dQqOJU/3y4zkPqBP9Ialh//BL5ov03L5BqjgthrbYbrcxJTo57EJIdO8O1g== avialex<br>
>> >><br>
>> >> And errors like:<br>
>> >> 2015/07/09 13:28:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}<br>
> >>> All my friends get the same error, but their squid is working fine.<br>
> >>><br>
><br>
><br>
>Okay, so the traffic arriving at Squid is ~10 req/sec, and the helpers<br>
>are processing only 4 req/sec successfully.<br>
><br>
>If we assume that also each client connection is attempting one NTLM<br>
>request before it gets to Kerberos (when it should be doing the<br>
>opposite). That allows for the helper rejecting 3-4 req/sec.<br>
><br>
>That makes a total of up to 8 req/sec being handled by the helpers.<br>
>Still leaving 2 req/sec building up in the queue.<br>
><br>
><br>
>I see two problems there.<br>
><br>
>Firstly, 3-4 req/sec seems to be a very slow response rate by the<br>
>helpers. If you can find some way to improve that enough to stop the<br>
>queue building up your problem should go away.<br>>- that might be done by increasing the startup= helpers count (and<br>
>maximum count)<br>>- that might be by improving the helper connectivity speed and access<br>
>to DNS and the backend AD system.<br>
><br>
><br>
>Secondly, that NTLM issue. The only fix for that is to get the client<br>
>devices configured to try the more secure Kerberos auth first (like they<br>
>should be doing anyway).<br>
>- that may require disabling NTLM entirely for them.<br>
><br>
><br>
><br>
>> >> Don't see anything else<br>
>> >><br>
>> ><br>
>> >Aha. So your users browsers are sending NTLM auth instead of Kerberos.<br>
>> >That is at least one part of the problem. NTLM handshake can take whole<br>
> >>seconds and places a lot of extra load on the helpers. To resolve these<br>
> >>the users software needs fixing to use Kerberos properly when Negotiate<br>
> ><br>
> >>is offered.<br>
> >><br>
> >>The other part is figuring out what amount of helpers is needed to meet<br>
> >>the load requirements. With NTLM it is usually several hundred.<br>
> >><br>
>> <br>
> ><br>
> >When i'm using proxy alone, squid stars 33 childrens, don't recive any NTLM errors, but internet start to lag. So the problem not in the NTLM software. I tryed to start 300 children for my 60 users, but still have huge lags, even when half was free.<br>
>> <br>
><br>
>I suggest For 60 users doing 10req/sec I suggest configuring Squid with:<br>
>auth_param negotiate children 500 startup=120 idle=10<br>
><br>
><br>
>So what do you think the lag is coming from then?<br>
><br>
>And how are you defining "free" in terms of helpers?<br>
><br>
>Amos<br>
</div>
<base target="_self" href="https://e.mail.ru/">
</div>
</div>
</div>
</blockquote>
when i started 150/300 children, <br>ps -ax | grep negotiate | wc -l <br>shows me that only 151 launched but there was lags<br><br>So i decided that settings isn't my problem, so only sofware left. So what i did:<br><br>I upgraded squid from 3.5.5 to 3.5.6 and changed kerberos realisation from MIT to heimdal and it works perfectly! Only 18 childrens are launched right now, NTLM errors still presents but i already know what soft makes it and will fix it.<br>Don't know what was wrong with MIT realisation of kerberos on my freebsd server, but heimdal works just fine.<br><br><br></BODY></HTML>