[squid-dev] Ntlm helper child exceeds limit
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 10 11:20:48 UTC 2015
On 10/12/2015 10:42 p.m., manojmaybe wrote:
> I have used squid 3.3 proxy server with NTLM authentication. I have use the
> squid config file for maximum of 3000 children.
Please upgrade your Squid. 3.5 is the current stable release.
>
> auth_param ntlm children 3000 startup=0 idle=0
>
> but when traffic is very high ,found that more than 3000 ntlm helper
> children is active (used ps command to get the number of ntlm child process)
> and helper child are going to be crash and showing error cache log
>
If you have so many users that you need 3K NTLM helpers then NTLM is
probably the worst thing you could be doing for authentication.
It takes a relatively long time to authenticate a single client
connection, and they are statefully locked the entire time so no other
visitors can use them to authenticate. That causes huge memory resource
consumption in the proxy. And the system has limits on how many AD
connections can be made simulteneously. Winbindd itself starts failing
after 255 concurrent logins, Samba is a bit higher but not 3K.
>
> read(net): Connection reset by peer
> read(net): Connection reset by peer
> read(net): Connection reset by peer
> read(net): Connection reset by peer
> read(net): Connection reset by peer
Where is that coming from? Not Squid.
> 2015/12/09 15:01:36 kid2| ERROR: NTLM Authentication Helper '0x160fa948'
> crashed!.
> 2015/12/09 15:01:36 kid2| ERROR: NTLM Authentication validating user. Error
> returned 'BH Internal error'
> 2015/12/09 15:01:36 kid2| WARNING: ntlmauthenticator #1 exited
> 2015/12/09 15:01:36 kid2| Too few ntlmauthenticator processes are running
> (need 1/300)
> 2015/12/09 15:01:36 kid2| Starting new helpers
> 2015/12/09 15:01:36 kid2| helperOpenServers: Starting 1/300 'netcat'
> processes
Does netcat speak NTLM protocol? or Squid helper protocol for that matter?
AFAIK the netcat tool has a habit of closing connections, but only
half-way. Squid helpers MUST NOT close any of their connections to Squid
unless they are aborting and shutting down.
netcat may also be diverting and hiding critical error messages produced
by whatever the real authenticator is on stderr.
Amos
More information about the squid-dev
mailing list