[squid-users] Re: Autentication x AD intermittent

From: Adam Aube <aaube01@dont-contact.us>
Date: Mon, 10 Jan 2005 21:52:57 -0500

Please don't post the same message to the list multiple times.

rodd wrote:

> I am having some problems using my Squid authenticating
> against my Active Directory Server.
> I have this environment working for about 6 months, and it was
> fine, but since last month its behavior became very strange. The point
> is when the clients request a page, some time it works fine, but some
> times they get an error like: "The page cannot be displayed".

Have you upgraded any software or installed any patches on the Squid server
or the domain controller? Has your useage level increased significantly?

> I have checked many things, starting with the DNS sctructure,
> and I didn`t find any problem. I've checked the response time between
> my workstation machine and the Squid Server, and between the Squid
> Server and the AD server, and is everything fine, acctualy they are
> all in the same LAN.

How are you checking this?

> I tryed many different configurations of samba and squid to
> solve that, but it is still happen. I changed my smb.conf and the
> squid.conf and now it is like that:

[squid.conf and smb.conf snipped]

I see you are using NTLM authentication. Due to the nature of NTLM, problems
often occur for one of two reasons:

1) Insufficient NTLM helpers (most common)
2) Too much load on the DC

Increase the number of helpers and see what happens. If the problem recurs,
but takes longer than before to start happening, keep increasing the number
of helpers until the problem goes away.

Also, Cache Manager has an page of interesting info on the NTLM helpers.
This may also help point you in the direction of the problem.

> The softwares versions are:
>
> Squid: Version 2.5.STABLE7
> Winbindd: Version 3.0.7
> krb5 - 1.2.7-24
> and Red Hat Enterprise Server

> Other important information is when I stop the
> authentication, the problem stop. Other important information is that
> the problem just happen during the bussiness day, we have around 3000
> users accessing the internet. Btw, the cpu and memory of the server
> are ok. I tryed also disabling the cache, but without success.

How many concurrent requests to the proxy? For NTLM, the recommendation is
one helper for each concurrent request.

> Other very interesting thing is that I have a backup proxy
> server, and in that server the problem doesn`t happened, so, I
> switched the clients to the backup server

> the clients are accessing the backup server since two weeks ago without
> any problem, but today the problem also started in the backup server.

Which makes it seem like a load issue, though if all the clients were
switched to the backup at once, it's odd that it would take two weeks for
the problem to occur there as well. Was the load lighter than normal for
the first part of the two weeks?

Adam
Received on Mon Jan 10 2005 - 19:53:25 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST