[squid-users] SQUID - WINDBIND - very slow internet speed

Fri Jul 26 07:31:26 UTC 2024

Have you considered
https://wiki.squid-cache.org/Features/HelperMultiplexer
?
If I remember correctly, it can start new helpers on demand up to a
configured maximum.

@mobile

On Fri, 26 Jul 2024 at 8:23 AM, Andrey K <ankor2023 at gmail.com> wrote:

> Hello, Andre,
>
>
> > How to know if the helper supports concurrent requests?
> You are using /usr/bin/ntlm_auth, and, as far as I know, it does not
> support concurrency. But I do not know other ntlm-authentication helpers.
>
> > winbindd: Exceeding 500 client connections, no idle connection found
> > I will increase this value to check if help to settle the issue
> I think it will only hide the problem.
> In my opinion, it is better to follow the Alex's advice and reduce the
> number of ntlm-helpers. It should prevent exceeding the maximum winbind
> client connections error messages.
> The actual number of required ntlm-helpers can be obtained during the
> working day.
> ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l
> You can divide this number by the number of workers and add some spare
> ones.
>
> When the problem appears again, you can follow the advice of Francesco:
> > In order to bisect the problem, could you try using `wbinfo -a` on one
> > of the affected machiens to authenticate against Active Directory and
> >see if the performance is on the winbindd <-> AD side of the equation
> > on on the squid <-> ntlm_auth side?
> sudo wbinfo -t
> sudo wbinfo -a "DOMAIN\username%password"
> Kind regards,
> Ankor.
>
>
>
>
> чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas <andre.bolinhas at articatech.com
> >:
>
>> Hi
>> We have 5 squid workers, we need to handle around 8k concurrent users.
>>
>> Based on this, what's the auth_param values that you recommend for
>> children, idle and startup?
>> How to know if the helper supports concurrent requests?
>>
>> winbindd: Exceeding 500 client connections, no idle connection found
>>
>> I will increase this value to check if help to settle the issue
>>
>>
>> On 25/07/2024 14:28, Alex Rousskov wrote:
>>
>> On 2024-07-23 19:20, Andre Bolinhas wrote:
>>
>> winbindd: Exceeding 500 client connections, no idle connection found
>>
>>
>> auth_param ntlm children 500 ...
>>
>>
>> I know virtually nothing about WINDBIND and the authentication helper you
>> are using, but configuring Squid to have 500 helper processes is usually a
>> mistake, even with a single Squid worker. YMMV, but I would try to use a
>> lot fewer helpers (e.g., 10) and increase that number only if such an
>> increase actually improves things.
>>
>> If possible, use a helper that supports concurrent requests.
>>
>> If your Squid is not competing for resources with other applications on
>> the server, then I also recommend keeping a _constant_ number of helper
>> processes (instead of asking Squid to start many new helper processes at
>> the worse possible time -- when the load on Squid increases). To do that,
>> make startup and idle parameters the same as the maximum number of
>> children.
>>
>>
>> HTH,
>>
>> Alex.
>> P.S. The credit for highlighting the correlation between winbindd errors
>> and "auth_param ntlm children 500" goes to Andrey K.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240726/ab55c00a/attachment-0001.htm>