<div dir="ltr"><div dir="ltr">Hello, Andre,<div><br></div><div>Your logs say: </div><div><font face="monospace">> winbindd: Exceeding 500 client connections, no idle connection found<br></font></div><div><br></div><div>So <span style="white-space-collapse: preserve;">In </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">addition</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">to</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">Francesco</span><span style="white-space-collapse: preserve;">'s </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">suggestion, </span>you can try to increase the "winbind max clients" parameter in your smb.conf</div><div><br></div><div>Your squid.conf record:</div><div><font face="monospace">auth_param ntlm children 500 startup=5 idle=1</font> <br></div><div>limits the number of ntlm-helpers, but in the SMP squid configuration <span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">this</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">value</span><span style="white-space-collapse: preserve;"> is </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">multiplied</span><span style="white-space-collapse: preserve;"> by </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">the</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">number</span><span style="white-space-collapse: preserve;"> </span>of workers (<span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">although</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">I</span><span style="white-space-collapse: preserve;"> did </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">not</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">notice</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">activation</span><span style="white-space-collapse: preserve;"> of </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">multiprocessing</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">support</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">in</span><span style="white-space-collapse: preserve;"> your </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">squid</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">configuration</span>).</div><div><br></div><div>Kind regards,</div><div> Andrey</div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">ср, 24 июл. 2024 г. в 21:57, Francesco Chemolli <<a href="mailto:gkinkie@gmail.com" target="_blank">gkinkie@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Andre,<br>
<br>
The chain of services here is:<br>
<br>
browser <-> squid <-> ntlm_auth <-> winbindd <-> active directory<br>
<br>
In order to bisect the problem, could you try using `wbinfo -a` on one<br>
of the affected machiens to authenticate against Active Directory and<br>
see if the performance is on the winbindd <-> AD side of the equation<br>
on on the squid <-> ntlm_auth side?<br>
<br>
On Wed, Jul 24, 2024 at 7:27 PM Andre Bolinhas<br>
<<a href="mailto:andre.bolinhas@articatech.com" target="_blank">andre.bolinhas@articatech.com</a>> wrote:<br>
><br>
> Hi Team.<br>
><br>
> I'm using SQUID 5.9 + windbindd 4.9.5, the authentication method is NTLM.<br>
><br>
> Every day, around 5pm, the internet speed becomes very slow, with users reporting that websites takes too long to open.<br>
><br>
> Also, the time that the issue occur is very strange, since is when most of the users are not in the office anymore<br>
><br>
> By doing a deep analyze on Proxy server, I manage to find this error that could be related with this issue.<br>
><br>
> Cache.log<br>
> GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
> GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
> GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
> GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>
><br>
> Windbindd.log<br>
> [2024/07/22 17:06:48.220216, 2] ../source3/winbindd/winbindd.c:1121(remove_client)<br>
> final write to client failed: Broken pipe<br>
> [2024/07/22 17:06:48.220319, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
> winbindd: Exceeding 500 client connections, no idle connection found<br>
> [2024/07/22 17:06:48.261482, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
> winbindd: Exceeding 500 client connections, no idle connection found<br>
> [2024/07/22 17:06:48.261857, 2] ../source3/winbindd/winbindd.c:1121(remove_client)<br>
> final write to client failed: Broken pipe<br>
> [2024/07/22 17:06:48.261926, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
> winbindd: Exceeding 500 client connections, no idle connection found<br>
> [2024/07/22 17:06:48.276216, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
> winbindd: Exceeding 500 client connections, no idle connection found<br>
> [2024/07/22 17:06:48.276507, 2] ../source3/winbindd/winbindd.c:1121(remove_client)<br>
> final write to client failed: Broken pipe<br>
> [2024/07/22 17:06:48.276568, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)<br>
> winbindd: Exceeding 500 client connections, no idle connection found<br>
> [2024/07/22 17:09:02.512093, 1] ../source4/lib/messaging/messaging.c:83(ping_message)<br>
> INFO: Received PING message from server 10301 []<br>
> [2024/07/22 17:09:02.512159, 1] ../source3/lib/messages.c:131(ping_message)<br>
> INFO: Received PING message from PID 10301 []<br>
> [2024/07/22 17:11:27.979681, 1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)<br>
> trustdom_list_done: Could not receive trusts for domain BANK<br>
> [2024/07/22 17:11:27.979756, 1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)<br>
> trustdom_list_done: Could not receive trusts for domain HLGROUP<br>
> [2024/07/22 17:12:02.612725, 1] ../source4/lib/messaging/messaging.c:83(ping_message)<br>
> INFO: Received PING message from server 4706 []<br>
> [2024/07/22 17:12:02.612794, 1] ../source3/lib/messages.c:131(ping_message)<br>
> INFO: Received PING message from PID 4706 []<br>
> [2024/07/22 17:15:03.307322, 1] ../source4/lib/messaging/messaging.c:83(ping_message)<br>
> INFO: Received PING message from server 13541 []<br>
> [2024/07/22 17:15:03.307477, 1] ../source3/lib/messages.c:131(ping_message)<br>
> INFO: Received PING message from PID 13541 []<br>
> [2024/07/22 17:18:02.603927, 1] ../source4/lib/messaging/messaging.c:83(ping_message)<br>
> INFO: Received PING message from server 27640 []<br>
> [2024/07/22 17:18:02.603983, 1] ../source3/lib/messages.c:131(ping_message)<br>
> INFO: Received PING message from PID 27640 []<br>
><br>
> smb.conf<br>
> [global]<br>
> netbios name = ASP02<br>
> log level = 2<br>
> workgroup = mydom<br>
> kerberos method = dedicated keytab<br>
> dedicated keytab file = /etc/krb5.keytab<br>
> realm = mydom.MY<br>
> password server = 10.150.1.62<br>
> security = ads<br>
> winbind enum groups = No<br>
> winbind enum users = No<br>
> idmap config * : backend = tdb<br>
> idmap config * : range = 3000-7999<br>
> idmap config mydom:backend = ad<br>
> idmap config mydom:schema_mode = rfc2307<br>
> idmap config mydom:range = 10000-999999<br>
> idmap config mydom:unix_nss_info = yes<br>
> tls enabled = yes<br>
> ldap ssl = start tls<br>
> tls keyfile = tls/key.pem<br>
> tls certfile = tls/cert.pem<br>
> tls cafile = tls/ca.pem<br>
> client ldap sasl wrapping = plain<br>
> client ntlmv2 auth = Yes<br>
> client lanman auth = No<br>
> client ldap sasl wrapping = sign<br>
> winbind normalize names = No<br>
> winbind separator = /<br>
> winbind use default domain = yes<br>
> winbind nested groups = Yes<br>
> winbind reconnect delay = 30<br>
> winbind offline logon = true<br>
> winbind cache time = 1800<br>
> winbind refresh tickets = true<br>
> winbind refresh tickets = true<br>
> winbind max clients = 500<br>
> allow trusted domains = Yes<br>
> server signing = auto<br>
> client signing = auto<br>
> lm announce = No<br>
> ntlm auth = No<br>
> lanman auth = No<br>
> preferred master = No<br>
> local master = No<br>
> wins support = No<br>
> encrypt passwords = yes<br>
> printing = bsd<br>
> load printers = no<br>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br>
> min protocol = SMB2<br>
> client min protocol = SMB2<br>
> client max protocol = SMB3<br>
> load printers = no<br>
> printing = bsd<br>
> printcap name = /dev/null<br>
> disable spoolss = yes<br>
><br>
> Squid.conf<br>
><br>
> # kerberos_conf() LockActiveDirectoryToKerberos = 0<br>
><br>
> #<br>
> #KerbAuthMethod = 0/1 and NOT_NTLM = False<br>
> auth_param ntlm program /usr/bin/ntlm_auth --domain=mydom.MY --helper-protocol=squid-2.5-ntlmssp<br>
> auth_param ntlm children 500 startup=5 idle=1 concurrency=0 queue-size=2000 on-persistent-overload=ERR<br>
> auth_param ntlm keep_alive off<br>
><br>
> #<br>
> # ads groups OK<br>
> #Other settings<br>
> auth_param basic credentialsttl 7200 seconds<br>
> authenticate_ttl 3600 seconds<br>
> authenticate_ip_ttl 1 seconds<br>
> authenticate_cache_garbage_interval 3600 seconds<br>
><br>
> acl authFailed src all<br>
> acl AUTHENTICATED proxy_auth REQUIRED<br>
> # END NTLM Parameters --------------------------------<br>
> # Basic authentication for other browser that did not supports NTLM<br>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic<br>
> auth_param basic children 60 startup=2 idle=1<br>
> auth_param basic realm Active Directory Basic Identification<br>
> auth_param basic credentialsttl 7200 seconds<br>
> authenticate_ttl 3600 seconds<br>
> authenticate_ip_ttl 1 seconds<br>
> authenticate_cache_garbage_interval 3600 seconds<br>
><br>
> # ldap_auth_ad() EnableAdLDAPAuth = 0 - SKIP<br>
><br>
> # ads groups OK<br>
><br>
><br>
><br>
> # --------------------------------------------------<br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
<br>
<br>
-- <br>
Francesco<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div>