[squid-users] Squid restarting continuously the authenticator processes
Claudio ML
claudioml at mediaservice.net
Wed Oct 29 11:11:41 UTC 2014
Il 29/10/2014 12:01, Amos Jeffries ha scritto:
> On 29/10/2014 11:09 p.m., Claudio ML wrote:
> > Hello all,
>
> > I have a strange problem with a SQUID proxy with the NTLM
>
> The word is "Squid", it is a name not an acronym.
>
> > authentication. It randomly restarts the authenticator processes
> > (restart maybe not the right term), as follows:
>
>
> Randomly? no, when an authenticator dies/aborts Squid starts a
> replacement one.
>
> Question is why they are dying.
>
> Perhapse you could start by indicating what version of Squid you are
> using ?
>
My Squid version is 3.2.11 (OpenSuSE 12.3)
>
> <snip>
> > 2014-10-29T10:45:02.649164+01:00 yel1swa208 squid[29306]: Starting
> > new ntlmauthenticator helpers... 2014-10-29T10:45:02.650165+01:00
> > yel1swa208 squid[29306]: helperOpenServers: Starting 1/800
> > 'ntlm_auth' processes
>
> > Not sure if is a result of this, but after 10-20 mins the
> > authentication process with ntlm slows down terribly (tested with
> > wbinfo -t), and the users have some serious problem with the
> > navigation.
>
> > Follows the relevant part of squid.conf:
>
> > # Ntlm Auth auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp --debuglevel=0 auth_param ntlm
> > children 800 #auth param ntlm keep_alive off
>
> That is the Samba helper, so any bugs inside it are Samba problems.
>
> Squid for NTLM is just a "dumb relay" passing the HTTP request header
> tokens to the helper(s) and relaying their responses back to the
> client in HTTP reply headers.
>
> There might still be bugs in the relaying logic though. But to me it
> sounds like the helpers having issues.
>
>
Where into log files i can look if helpers have issues?
> > authenticate_ttl 3 hour authenticate_ip_ttl 3 hour
>
> > # Base Auth auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic auth_param basic children 200
> > auth_param basic realm Squid proxy-caching web server auth_param
> > basic credentialsttl 2 hours
>
> > And the relevant part of smb.conf:
>
> > allow trusted domains = Yes winbind nested groups = Yes wins server
> > = x.x.x.x winbind uid = 40000-90000000000000 winbind gid =
> > 4000-100000000000000 winbind use default domain = yes winbind enum
> > users = yes winbind enum groups = yes winbind cache time = 1000
> > winbind max clients = 600
>
>
> There is a big hint.
>
> max clients 600 vs. 800 configured Squid helpers ...
>
You are right, now my config is 800 as max clients on samba, and 800
Squid helpers.
Thank you,
Claudio.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141029/3fc7735d/attachment.html>
More information about the squid-users
mailing list