[squid-users] SQUID - WINDBIND - very slow internet speed
Andrey K
ankor2023 at gmail.com
Fri Jul 26 07:23:46 UTC 2024
Hello, Andre,
> How to know if the helper supports concurrent requests?
You are using /usr/bin/ntlm_auth, and, as far as I know, it does not
support concurrency. But I do not know other ntlm-authentication helpers.
> winbindd: Exceeding 500 client connections, no idle connection found
> I will increase this value to check if help to settle the issue
I think it will only hide the problem.
In my opinion, it is better to follow the Alex's advice and reduce the
number of ntlm-helpers. It should prevent exceeding the maximum winbind
client connections error messages.
The actual number of required ntlm-helpers can be obtained during the
working day.
ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l
You can divide this number by the number of workers and add some spare ones.
When the problem appears again, you can follow the advice of Francesco:
> In order to bisect the problem, could you try using `wbinfo -a` on one
> of the affected machiens to authenticate against Active Directory and
>see if the performance is on the winbindd <-> AD side of the equation
> on on the squid <-> ntlm_auth side?
sudo wbinfo -t
sudo wbinfo -a "DOMAIN\username%password"
Kind regards,
Ankor.
чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas <andre.bolinhas at articatech.com>:
> Hi
> We have 5 squid workers, we need to handle around 8k concurrent users.
>
> Based on this, what's the auth_param values that you recommend for
> children, idle and startup?
> How to know if the helper supports concurrent requests?
>
> winbindd: Exceeding 500 client connections, no idle connection found
>
> I will increase this value to check if help to settle the issue
>
>
> On 25/07/2024 14:28, Alex Rousskov wrote:
>
> On 2024-07-23 19:20, Andre Bolinhas wrote:
>
> winbindd: Exceeding 500 client connections, no idle connection found
>
>
> auth_param ntlm children 500 ...
>
>
> I know virtually nothing about WINDBIND and the authentication helper you
> are using, but configuring Squid to have 500 helper processes is usually a
> mistake, even with a single Squid worker. YMMV, but I would try to use a
> lot fewer helpers (e.g., 10) and increase that number only if such an
> increase actually improves things.
>
> If possible, use a helper that supports concurrent requests.
>
> If your Squid is not competing for resources with other applications on
> the server, then I also recommend keeping a _constant_ number of helper
> processes (instead of asking Squid to start many new helper processes at
> the worse possible time -- when the load on Squid increases). To do that,
> make startup and idle parameters the same as the maximum number of
> children.
>
>
> HTH,
>
> Alex.
> P.S. The credit for highlighting the correlation between winbindd errors
> and "auth_param ntlm children 500" goes to Andrey K.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240726/f414352b/attachment.htm>
More information about the squid-users
mailing list