<div dir="ltr"><div dir="ltr">Hello, Andre,<div><br></div><div><br></div><div>> How to know if the helper supports concurrent requests?<br></div><div>You are using /usr/bin/ntlm_auth, and, as far as I know, it does not support concurrency. But I do not know other ntlm-authentication helpers.<br></div><div><br></div><div>> winbindd: Exceeding 500 client connections, no idle connection found</div><div>> I will increase this value to check if help to settle the issue</div><div>I think it will only hide the problem. </div><div><span style="white-space-collapse: preserve;">In my opinion, it is </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">better</span><span style="white-space-collapse: preserve;"> to </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">follow</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">Alex</span><span style="white-space-collapse: preserve;">'s </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">advice</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">and</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">reduce</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">number</span><span style="white-space-collapse: preserve;"> of ntlm-</span><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">helpers. It should prevent exceeding the maximum winbind client connections error messages. </span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">The actual number of required ntlm-helpers can be obtained during the working day.</span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"><font face="monospace">ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l</font><br></span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">You can divide this number by the number of workers and add some spare ones.</span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"><br></span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"><span class="gmail-EzKURWReUAB5oZgtQNkl">When</span> the <span class="gmail-EzKURWReUAB5oZgtQNkl">problem</span> <span class="gmail-EzKURWReUAB5oZgtQNkl">appears</span> <span class="gmail-EzKURWReUAB5oZgtQNkl">again</span><span class="gmail-EzKURWReUAB5oZgtQNkl">,</span> you can <span class="gmail-EzKURWReUAB5oZgtQNkl">follow</span> the <span class="gmail-EzKURWReUAB5oZgtQNkl">advice</span> of <span class="gmail-EzKURWReUAB5oZgtQNkl">Francesco:</span></span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">> <span style="white-space-collapse: collapse;">In order to bisect the problem, could you try using `wbinfo -a` on one</span><br style="white-space-collapse: collapse;"><span style="white-space-collapse: collapse;">> of the affected machiens to authenticate against Active Directory and</span><br style="white-space-collapse: collapse;"><span style="white-space-collapse: collapse;">>see if the performance is on the winbindd <-> AD side of the equation</span><br style="white-space-collapse: collapse;"><span style="white-space-collapse: collapse;">> on on the squid <-> ntlm_auth side?</span>
<br></span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"><font face="monospace">sudo wbinfo -t<br></font></span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"><font face="monospace">sudo wbinfo -a "DOMAIN\username%password"</font><br></span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;">
Kind regards,</span></div><div><span class="gmail-EzKURWReUAB5oZgtQNkl" style="white-space-collapse: preserve;"> Ankor.</span></div><div><br></div><div><br></div></div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas <<a href="mailto:andre.bolinhas@articatech.com">andre.bolinhas@articatech.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div style="padding-bottom:1px">
<p>Hi<br>
We have 5 squid workers, we need to handle around 8k concurrent
users.</p>
<p>Based on this, what's the auth_param values that you recommend
for children, idle and startup?<br>
How to know if the helper supports concurrent requests?</p>
<p>
</p><blockquote type="cite">winbindd: Exceeding 500 client
connections, no idle connection found
</blockquote>
I will increase this value to check if help to settle the issue<p></p>
<p><br>
</p>
<div>On 25/07/2024 14:28, Alex Rousskov
wrote:<br>
</div>
<blockquote type="cite">On
2024-07-23 19:20, Andre Bolinhas wrote:
<br>
<blockquote type="cite">winbindd: Exceeding 500 client
connections, no idle connection found
<br>
</blockquote>
<br>
<blockquote type="cite">auth_param ntlm children 500 ...
<br>
</blockquote>
<br>
I know virtually nothing about WINDBIND and the authentication
helper you are using, but configuring Squid to have 500 helper
processes is usually a mistake, even with a single Squid worker.
YMMV, but I would try to use a lot fewer helpers (e.g., 10) and
increase that number only if such an increase actually improves
things.
<br>
<br>
If possible, use a helper that supports concurrent requests.
<br>
<br>
If your Squid is not competing for resources with other
applications on the server, then I also recommend keeping a
_constant_ number of helper processes (instead of asking Squid to
start many new helper processes at the worse possible time -- when
the load on Squid increases). To do that, make startup and idle
parameters the same as the maximum number of children.
<br>
<br>
<br>
HTH,
<br>
<br>
Alex.
<br>
P.S. The credit for highlighting the correlation between winbindd
errors and "auth_param ntlm children 500" goes to Andrey K.
<br>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>
<br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
</div>
<u></u><u></u>
</blockquote></div></div>