Re: [squid-users] NTLM authentication testing

On 2/18/08, Adrian Chadd <adrian@creative.net.au> wrote:
> Thats basically right - Squid doesn't handle the NTLM itself, it just
> passes the blob right through. The helper framework can handle hundreds
> of requests a second without too much thought; I'd like to spend some
> time figuring out what Samba is doing thats so slow. I thought that winbind
> was actually handling the NTLM challenge/response stuff itself and caching
> data rather than passing it upstream to the DC for every request.
> I haven't yet looked at it, so I can't say for certain that is correct.

I've done some pretty unscientific tests using curl against our Squid box.
 * CPU: Intel(R) Celeron(R) CPU 2.53GHz
 * MemTotal: 2075628 kB
 * Squid2.6 STABLE17 (using epoll)
 * NTLM auth_param ntlm children 100

I've been running multiple curl instances on four clients as follows:
{{{

for i in {1..100}; do
    while true; do
        curl -x 192.168.1.97:800 \
             --proxy-ntlm \
             --proxy-user "DOMAINNAME\\username:password" \
             --include \
             --silent \
             --header Pragma: http://www.mydomain.com/index.html >/dev/null
    done &
    sleep 1
done

}}}

According to cachemgr this is generating a load of ~250req/sec.

client_http.requests = 252.175917/sec
client_http.hits = 126.159625/sec
client_http.errors = 0.000000/sec
client_http.kbytes_in = 90.109732/sec
client_http.kbytes_out = 2735.581866/sec
client_http.all_median_svc_time = 0.851301 seconds
client_http.miss_median_svc_time = 0.000911 seconds
client_http.nm_median_svc_time = 0.000000 seconds
client_http.nh_median_svc_time = 0.000000 seconds
client_http.hit_median_svc_time = 0.806511 seconds

First problem is that you have to reinterpret the Squid reported hit
ratios when using NTLM auth. Only half of these are hits, the other
half being TCP_DENIED/407 that form part of the NTLM auth negotiation.

Second problem is that the majority of requests seem to result in auth
requests to the DC. There is an article describing Win2003 performance
counters showing Number of auth requests / sec, but those counters
don't seem to exist on my copy.
 * http://support.microsoft.com/kb/928576

Instead I used the difference in a minute of the total number of
security events (as shown in the titel bar of the windows event
viewer.
 * ~127 successful auth events per second
...which is about the same as the client_http.hits reported by squid.

I have the following setting defined in smb.conf:
 * winbind cache time = 10
...which clearly isn't being respected.

 * Does anyone else see this behaviour or have you managed to get auth
requests cached by winbindd?
 * Can winbindd even do caching of auth reqests or is it only
concerned with caching other domain data?

If anyone has answers, I'd really appreciate to hear from you. I'll
continue to experiment and will post my findings.

-RichardW.
Received on Tue Feb 19 2008 - 06:40:56 MST