[squid-users] Strange Kerberos authentication behavior (very high load, very slow response)

Hi Folks,

Here it is:

Hardware specs:

HP DL160G6, 8GB RAM, 2 SAS 146GB 15K RPM RAID01

SO specs:

Centos 5.5 X86-64 - 2.6.18-194.8.1.el5
Windows Server 2003 R2 (AD)

Packages:

squid-2.6.STABLE21-6.el5
krb5-libs-1.6.1-36.el5_5.5
pam_krb5-2.2.14-15
pam_krb5-2.2.14-15
krb5-libs-1.6.1-36.el5_5.5
krb5-workstation-1.6.1-36.el5_5.5

squid.conf:

visible_hostname hostname.domain

http_port 3128
icp_port 3130

hierarchy_stoplist cgi-bin ?

### no auth
acl RepoNoauth url_regex "/opt/catfish/etc/rules/url_regex/RepoNoauth"
acl Servidores src "/opt/catfish/etc/rules/src/Servidores"
http_access allow Servidores RepoNoauth

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s
HTTP/hostname.domain
auth_param negotiate children 1500
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
authenticate_ttl 12 hours
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Cluster Proxy
auth_param basic credentialsttl 2 hours

negative_ttl 10 seconds

cache_store_log none

max_filedesc 32768

cache_swap_high 96

strip_query_terms off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl QUERY urlpath_regex cgi-bin \?
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 21 70 80 81 82 85 88 89 90 100 210 280 333 443 488
563 591 777 800-65535
acl CONNECT method CONNECT
acl HEAD method HEAD

### alterado
acl Safe_ports port 21 70 80 81 82 83 85 88 89 90 100 210 280 333 443
488 563 591 777 800-65535
acl all src 0.0.0.0-255.255.255.255
acl allUsuariosHorarioDeAlmoco src 0.0.0.0-255.255.255.255
acl allUsuariosNegados src 0.0.0.0-255.255.255.255
acl snmppublic snmp_community public
acl gerenciador src 127.0.0.0/8 10.96.156.0/24 10.8.1.0/24 10.96.210.0/24

delay_pools 3
### alguns sites lentos
### gnutela
acl portaslentas port 6346 1214
delay_class 1 1
delay_access 1 allow portaslentas
delay_parameters 1 666/666

### filmes
acl sitesdefilme url_regex "/opt/catfish/etc/rules/url_regex/SitesFilmes"
acl extensoesdefilmes urlpath_regex -i \.avi \.mpg \.mpeg \.mov
delay_class 2 2
delay_access 2 allow sitesdefilme
delay_parameters 2 -1/-1 10000/10000 5000/5000

### Toledo
acl filmesemusicas urlpath_regex -i \.avi \.mpg \.mpeg \.mp3 \.mov
acl rangetoledo src 10.194.0.0-10.194.255.255
delay_class 3 1
delay_access 3 allow filmesemusicas rangetoledo
delay_parameters 3 666/666

# expanions ilha consulta
acl Expanion url_regex "/opt/catfish/etc/rules/url_regex/Expanion"
acl IPExpanion src "/opt/catfish/etc/rules/src/IPExpanion"
http_access allow IPExpanion Expanion
http_access deny all IPExpanion

# sites com acesso permitido sem autenticar
acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
http_access allow all SitesNoauth
always_direct allow SitesNoauth
http_access allow HEAD SitesNoauth

# skype liberar
acl skype_port port 443
acl connect_skype method CONNECT
acl LiberarSkype src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
http_access allow LiberarSkype skype_port connect_skype

# acl's para logins
acl Todos proxy_auth REQUIRED
acl free proxy_auth_regex "/opt/catfish/etc/auth/rules/free"
acl freeip src "/opt/catfish/etc/auth/rules/freeip"
acl LiberarIMsauth proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosLiberarIMs"

### bagre acls
acl UsuariosBloquearIMs proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosBloquearIMs"
acl UsuariosLiberarIMs proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosLiberarIMs"
acl IPAcessoDefinidoNegado src
"/opt/catfish/etc/rules/src/IPAcessoDefinidoNegado"
acl IPAcessoDefinidoHorarioDeAlmoco src
"/opt/catfish/etc/rules/src/IPAcessoDefinidoHorarioDeAlmoco"
acl IPAcessoDefinidoLiberado src
"/opt/catfish/etc/rules/src/IPAcessoDefinidoLiberado"
acl UsuariosNegados proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosNegados"
acl UsuariosHorarioDeAlmoco proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosHorarioDeAlmoco"
acl UsuariosLiberados proxy_auth_regex
"/opt/catfish/etc/rules/src/UsuariosLiberados"
acl IPAcessoPadraoHorarioDeAlmoco src
"/opt/catfish/etc/rules/src/IPAcessoPadraoHorarioDeAlmoco"
acl IPAcessoPadraoLiberado src
"/opt/catfish/etc/rules/src/IPAcessoPadraoLiberado"
acl IPAcessoPadraoNegado src "/opt/catfish/etc/rules/src/IPAcessoPadraoNegado"
acl InstantMessengersAllow url_regex
"/opt/catfish/etc/rules/url_regex/InstantMessengersAllow"
acl InstantMessengers url_regex
"/opt/catfish/etc/rules/url_regex/InstantMessengers"
acl SitesNoauth url_regex "/opt/catfish/etc/rules/url_regex/SitesNoauth"
acl IPAcessoLiberarIMs src "/opt/catfish/etc/rules/src/IPAcessoLiberarIMs"
acl IPAcessoBloquearIMs src "/opt/catfish/etc/rules/src/IPAcessoBloquearIMs"
acl SitesBloqueados url_regex "/opt/catfish/etc/rules/url_regex/SitesBloqueados"
acl SitesPermitidos url_regex "/opt/catfish/etc/rules/url_regex/SitesPermitidos"
acl HorarioDeAlmoco time "/opt/catfish/etc/rules/time/HorarioDeAlmoco"
acl LiberarEnderecosInternos src
"/opt/catfish/etc/rules/src/LiberarEnderecosInternos"
### /bagre acls

# acl's para sites
acl RedeInterna url_regex "/opt/catfish/etc/auth/rules/RedeInterna"
acl Excessoes url_regex "/opt/catfish/etc/auth/rules/Excessoes"

# malware block list
acl malware_block_list url_regex -i
"/opt/catfish/etc/rules/url_regex/malware_block_list.txt"

no_cache deny QUERY
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

###alterado
snmp_access allow snmppublic localhost
snmp_access allow snmppublic gerenciador
snmp_access deny all
snmp_port 3420
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 0.0.0.0

http_access allow Todos Excessoes free
http_access allow Excessoes freeip
http_access allow LiberarIMsauth InstantMessengersAllow
http_access deny malware_block_list

### bagre rules
http_access allow UsuariosLiberarIMs InstantMessengersAllow
http_access deny UsuariosBloquearIMs InstantMessengers
http_access allow IPAcessoLiberarIMs InstantMessengersAllow
http_access deny IPAcessoBloquearIMs InstantMessengers
http_access deny SitesBloqueados
http_access allow SitesPermitidos
http_access deny IPAcessoDefinidoNegado
http_access allow IPAcessoDefinidoHorarioDeAlmoco HorarioDeAlmoco
http_access deny IPAcessoDefinidoHorarioDeAlmoco
http_access allow IPAcessoDefinidoLiberado
http_access deny UsuariosNegados allUsuariosNegados
http_access allow UsuariosHorarioDeAlmoco HorarioDeAlmoco
http_access deny UsuariosHorarioDeAlmoco allUsuariosHorarioDeAlmoco
http_access allow UsuariosLiberados
http_access allow IPAcessoPadraoLiberado
http_access allow IPAcessoPadraoHorarioDeAlmoco HorarioDeAlmoco
http_access deny IPAcessoPadraoHorarioDeAlmoco
http_access deny IPAcessoPadraoNegado
http_access allow LiberarEnderecosInternos
### /bagre rules
deny_info IP_HORARIO_IMPROPIO IPAcessoDefinidoHorarioDeAlmoco
IPAcessoPadraoHorarioDeAlmoco
deny_info USUARIO_HORARIO_IMPROPIO allUsuariosHorarioDeAlmoco
deny_info ERR_USR_ACCESS_DENIED allUsuariosNegados
deny_info MALWARE malware_block_list

http_reply_access allow all
icp_access allow all

cache_effective_user squid

cache_mgr cachemgr_at_mydomain.com
maximum_object_size 4096 KB

access_log /var/log/squid/access.log squid
logfile_rotate 5

error_directory /usr/share/squid/errors/Myerrors

cache_dir ufs /var/spool/squid 4096 16 256

cache_mem 4096 MB

half_closed_clients off

cache deny all

Problem:

Everything works fine, except because the load of system gets 1000 and
keeps increasing when using Kerberos authentication which results in a
slow response from proxy server to users. When using only ntlm
authentication (commented the line of Kerberos authentication), the
load is no more than 2, which results in a fast response of proxy
server to users. CPU utilization is always low. No swap utilization by
kernel. In my environment test, with 20 users I always get fast
responses. The problem occurs when I put the server in production.
What is happening with Kerberos authentication ?

-- 
"Computers are like air-conditioners.
They stop working when you open Windows."
BillieGDJoe