<!DOCTYPE html>
<html data-lt-installed="true">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body style="padding-bottom: 1px;">
<p>Hi Team.</p>
<p>I'm using SQUID 5.9 + windbindd 4.9.5, the authentication method
is NTLM.</p>
<p>Every day, around 5pm, the internet speed becomes very slow, with
users reporting that websites takes too long to open.</p>
<p>Also, the time that the issue occur is very strange, since is
when most of the users are not in the office anymore<br>
</p>
<p>By doing a deep analyze on Proxy server, I manage to find this
error that could be related with this issue.</p>
<p>Cache.log<br>
GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
GENSEC login failed: NT_STATUS_LOGON_FAILURE</p>
<p>Windbindd.log<br>
[2024/07/22 17:06:48.220216, 2]
../source3/winbindd/winbindd.c:1121(remove_client)<br>
final write to client failed: Broken pipe<br>
[2024/07/22 17:06:48.220319, 0]
../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
winbindd: Exceeding 500 client connections, no idle connection
found<br>
[2024/07/22 17:06:48.261482, 0]
../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
winbindd: Exceeding 500 client connections, no idle connection
found<br>
[2024/07/22 17:06:48.261857, 2]
../source3/winbindd/winbindd.c:1121(remove_client)<br>
final write to client failed: Broken pipe<br>
[2024/07/22 17:06:48.261926, 0]
../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
winbindd: Exceeding 500 client connections, no idle connection
found<br>
[2024/07/22 17:06:48.276216, 0]
../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
winbindd: Exceeding 500 client connections, no idle connection
found<br>
[2024/07/22 17:06:48.276507, 2]
../source3/winbindd/winbindd.c:1121(remove_client)<br>
final write to client failed: Broken pipe<br>
[2024/07/22 17:06:48.276568, 0]
../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
winbindd: Exceeding 500 client connections, no idle connection
found<br>
[2024/07/22 17:09:02.512093, 1]
../source4/lib/messaging/messaging.c:83(ping_message)<br>
INFO: Received PING message from server 10301 []<br>
[2024/07/22 17:09:02.512159, 1]
../source3/lib/messages.c:131(ping_message)<br>
INFO: Received PING message from PID 10301 []<br>
[2024/07/22 17:11:27.979681, 1]
../source3/winbindd/winbindd_util.c:440(trustdom_list_done)<br>
trustdom_list_done: Could not receive trusts for domain BANK<br>
[2024/07/22 17:11:27.979756, 1]
../source3/winbindd/winbindd_util.c:440(trustdom_list_done)<br>
trustdom_list_done: Could not receive trusts for domain HLGROUP<br>
[2024/07/22 17:12:02.612725, 1]
../source4/lib/messaging/messaging.c:83(ping_message)<br>
INFO: Received PING message from server 4706 []<br>
[2024/07/22 17:12:02.612794, 1]
../source3/lib/messages.c:131(ping_message)<br>
INFO: Received PING message from PID 4706 []<br>
[2024/07/22 17:15:03.307322, 1]
../source4/lib/messaging/messaging.c:83(ping_message)<br>
INFO: Received PING message from server 13541 []<br>
[2024/07/22 17:15:03.307477, 1]
../source3/lib/messages.c:131(ping_message)<br>
INFO: Received PING message from PID 13541 []<br>
[2024/07/22 17:18:02.603927, 1]
../source4/lib/messaging/messaging.c:83(ping_message)<br>
INFO: Received PING message from server 27640 []<br>
[2024/07/22 17:18:02.603983, 1]
../source3/lib/messages.c:131(ping_message)<br>
INFO: Received PING message from PID 27640 []</p>
<p>smb.conf<br>
[global]<br>
netbios name = ASP02<br>
log level = 2<br>
workgroup = mydom<br>
kerberos method = dedicated keytab<br>
dedicated keytab file = /etc/krb5.keytab<br>
realm = mydom.MY<br>
password server = 10.150.1.62<br>
security = ads<br>
winbind enum groups = No<br>
winbind enum users = No<br>
idmap config * : backend = tdb<br>
idmap config * : range = 3000-7999<br>
idmap config mydom:backend = ad<br>
idmap config mydom:schema_mode = rfc2307<br>
idmap config mydom:range = 10000-999999<br>
idmap config mydom:unix_nss_info = yes<br>
tls enabled = yes<br>
ldap ssl = start tls<br>
tls keyfile = tls/key.pem<br>
tls certfile = tls/cert.pem<br>
tls cafile = tls/ca.pem<br>
client ldap sasl wrapping = plain<br>
client ntlmv2 auth = Yes<br>
client lanman auth = No<br>
client ldap sasl wrapping = sign<br>
winbind normalize names = No<br>
winbind separator = /<br>
winbind use default domain = yes<br>
winbind nested groups = Yes<br>
winbind reconnect delay = 30<br>
winbind offline logon = true<br>
winbind cache time = 1800<br>
winbind refresh tickets = true<br>
winbind refresh tickets = true<br>
winbind max clients = 500<br>
allow trusted domains = Yes<br>
server signing = auto<br>
client signing = auto<br>
lm announce = No<br>
ntlm auth = No<br>
lanman auth = No<br>
preferred master = No<br>
local master = No<br>
wins support = No<br>
encrypt passwords = yes<br>
printing = bsd<br>
load printers = no<br>
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192<br>
min protocol = SMB2<br>
client min protocol = SMB2<br>
client max protocol = SMB3<br>
load printers = no<br>
printing = bsd<br>
printcap name = /dev/null<br>
disable spoolss = yes<br>
<br>
Squid.conf</p>
<p># kerberos_conf() LockActiveDirectoryToKerberos = 0<br>
<br>
#<br>
#KerbAuthMethod = 0/1 and NOT_NTLM = False<br>
auth_param ntlm program /usr/bin/ntlm_auth --domain=mydom.MY
--helper-protocol=squid-2.5-ntlmssp<br>
auth_param ntlm children 500 startup=5 idle=1 concurrency=0
queue-size=2000 on-persistent-overload=ERR<br>
auth_param ntlm keep_alive off<br>
<br>
#<br>
# ads groups OK<br>
#Other settings<br>
auth_param basic credentialsttl 7200 seconds<br>
authenticate_ttl 3600 seconds<br>
authenticate_ip_ttl 1 seconds<br>
authenticate_cache_garbage_interval 3600 seconds<br>
<br>
acl authFailed src all<br>
acl AUTHENTICATED proxy_auth REQUIRED<br>
# END NTLM Parameters --------------------------------<br>
# Basic authentication for other browser that did not supports
NTLM<br>
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic<br>
auth_param basic children 60 startup=2 idle=1<br>
auth_param basic realm Active Directory Basic Identification<br>
auth_param basic credentialsttl 7200 seconds<br>
authenticate_ttl 3600 seconds<br>
authenticate_ip_ttl 1 seconds<br>
authenticate_cache_garbage_interval 3600 seconds<br>
<br>
# ldap_auth_ad() EnableAdLDAPAuth = 0 - SKIP<br>
<br>
# ads groups OK<br>
<br>
<br>
<br>
# --------------------------------------------------<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</body>
<lt-container></lt-container>
</html>