Re: [squid-users] Strange problem with NTLM_AUTH

Hey There,

I had this problem often and it was caused due to slow winbind responses
or winbind hanging. Try to tune winbind!! Look if things like wbinfo
-u/g/m perform fast -> winbind was often hanging cause it tried to talk to
trusted domains-controllers (which often are not needed => allow trusted
domains off).
I had used 30 ntlm_auth processes before to not cause squid to restart
under load, after tunning winbind 5 of them are enough right now according
to the stats in cachemgr.cgi

cheers.
Roman

> Hi all;
> We have Squid 2.5.STABLE9 running with 30 ntlm_auth helpers Version
3.0.10-1.fc3. The problem is that on the squid´s cachemgr.cgi->NTLM User
Authenticator Stats is possible to verify that the ntlm_auth processes
are slowly having the flag R (Reserved or Deferred) set and never being
used again (the number of requests stops and the time starts growing).
This problem goes until there is no more ntlm_auth process available and
squid restarts itself, restarting all ntlm_auth too. After the restart,
everything is goes back to normal and the problem slowly repeats. We
detected that the R flag appears more agressively if the domain
controller
> is under more load (like running a backup script).
> Well, the questions are:
> 1- What does the flag reserved mean?
> 2- Any ideas why the R flag is spreading throught all the ntlm_auth
processes, like processes 11 and 12 below (you can see the 11 and 12 are
locked for a long time and process 13 is receiving more requests ?
>
> # FD PID # Requests Flags Time Offset
Request
> 1 8 8656 475909 R 10.140 0 (none)
2 9 8657 632482 0.093 0 (none)
3 10 8658 363615 0.412 0 (none)
4 11 8659 64199 R 311498.132 0 (none)
5 12 8660 33142 R 311497.891 0 (none)
6 13 8661 121226 0.932 0 (none)
7 14 8662 58971 0.913 0 (none)
(...)
>
>
> Just for the record, I originally have sent this message to the SAMBA
list, and Andrew Bartlett (NTLM_AUTH coder) replyed me as below: "It
might be that we need to have a better way to have ntlm_auth tell Squid
that there is a problem now, but it might go away (previous helper
designs had to be restarted for that to happen, but ntlm_auth can
recover on it's own).
>
> Andrew Bartlett"
>
> Any help is greatly appreciated;
> Best regards;
>
> Rafael Sarres de Almeida
> Seção de Gerenciamento de Rede
> Superior Tribunal de Justiça
> Tel: (61) 319-9342
>
>
>
Received on Tue Jun 21 2005 - 10:15:53 MDT