Re: [squid-users] Connection error from Amos Jeffries on 2011-01-14 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 15 Jan 2011 14:24:02 +1300

On 15/01/11 07:35, Senthilkumar wrote:
> Hi All,
>
> I am using Squid Cache: Version 3.1.8, configured NTLM scheme using
> samba, CLAM Av + ICAP and Squid guard.
> All of the clients are Windows machine joined in domain. The browser
> authenticates using ntlm scheme without pop up for password and
> everything working fine.
>
> We have two issues:
> 1.We are using many acls to allow and deny websites on the basis of the
> ADS groups using wbinfo.pl. Time to time the users are reporting that
> the authentication pop up occurs .
> In cache.log we can find the following
>
> 2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy.
> 2011/01/14 12:27:50| WARNING: 25 pending requests queued
> 2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy.
> 2011/01/14 12:56:48| WARNING: 25 pending requests queued
> 2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy.
> 2011/01/14 12:57:36| WARNING: 25 pending requests queued
> 2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy.
> 2011/01/14 14:00:03| WARNING: 25 pending requests queued
> 2011/01/14 14:00:06| WARNING: Closing open FD 229
> 2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy.
>
> We just increased it to 30 for ntlm and 30 for wbinfo(external) still it
> occurs. Does ntlm scheme has any new behaviour?
>

Also, wbinfo has a maximum capacity limit of only ~256 lookups, shared
across all helpers AFAIK. When this limit is exceeded the lookups get
queued. When queue fills clients are rejected.

> 2.When we browse a website and leave browser idle for 30 - 60 minutes ,
> cannot display page occurs.

strange.

> In squid.conf we have used following values
> half_closed_clients off
> client_persistent_connections off
> server_persistent_connections off
> Whether squid has this as default behaviour?, suggest s suitable options
> in squid conf to overcome it.

Eek!

Firstly, NTLM schemes authenticates a TCP connection, *not* a user.

Secondly, NTLM scheme requires *three* HTTP full requests to be
performed to authenticate and fetch an object.

So... without persistent connections your Squid and its client browsers
are consuming up to 3x the amount of traffic (and bandwidth) they
normally would be.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Received on Sat Jan 15 2011 - 01:24:17 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 18 2011 - 12:00:03 MST