Re: [squid-users] Connection error

Hi ,

I have increased ntlm scheme children's and even though i am getting
error message in cache log
All ntlmauthenticator processes are busy and wbinfo.pl is busy is
stopped now.

I have attached my squid.conf please check it and share your views if
anything is done wrong .

#Authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100
auth_param basic credentialsttl 8 hours
authenticate_ttl 4 hours

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm PrimalHealth care services
auth_param basic credentialsttl 8 hours

#group Authentication
external_acl_type groupauth children=50 %LOGIN
/usr/local/squid31/libexec/wbinfo_group.pl

#Acl for checking group
acl senior1 external groupauth senior
acl dept1 external groupauth dept
acl human1 external groupauth human
acl srgp1 external groupauth group
acl gl1 external groupauth leader
acl nm1 external groupauth normal
acl mancom1 external groupauth man

#Acl to allow and block websites
####
acl senior2 url_regex -i "/usr/local/squid31/policy/allow.txt"

acl senior3 dstdomain -i "/usr/local/squid31/policy/allow1.txt"
acl senior4 dstdomain -i "/usr/local/squid31/policy/allow3.txt"
####

acl dept2 url_regex -i "/usr/local/squid31/policy/allow4.txt"
acl dept3 dstdomain -i "/usr/local/squid31/policy/allow5.txt"
####

acl gl2 url_regex -i "/usr/local/squid31/policy/allowleader"
acl gl3 url_regex -i "/usr/local/squid31/policy/denyleader"
####
acl srgp2 url_regex -i "/usr/local/squid31/policy/allow6"
acl srgp3 dstdomain -i "/usr/local/squid31/policy/allow7"
####
acl nm2 url_regex -i "/usr/local/squid31/policy/allow8"
acl nm3 url_regex -i "/usr/local/squid31/policy/deny9
acl nm4 dstdomain -i "/usr/local/squid31/policy/deny9"
###
acl mancom2 url_regex -i "/usr/local/squid31/policy/allowgl2"
acl global url_regex -i "/usr/local/squid31/policy/allowgl1"
###
acl noblock src "/usr/local/squid31/policy/allowdirect"

#Http_access

http_access allow manager localhost
http_access deny manager

http_access allow noblock
http_access allow global
http_access allow senior1 senior3
http_access deny senior1 senior4 all
http_access allow dept1 dept3
http_access allow gl1 gl2
http_access deny gl1 gl3 all
http_access allow srgp1 srgp3
http_access deny nm1 nm4 all
http_access allow nm1 nm2
http_access allow all

squidGuard
url_rewrite_program /usr/local/squidGuard/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
url_rewrite_children 50
url_rewrite_access allow !noblock !senior2 !dept2 !gl2 !gl3 !srgp2 !nm2
!nm3 !mancom2 !global
url_rewrite_access deny all

Thanks
Senthil

Amos Jeffries wrote:
> On 15/01/11 07:35, Senthilkumar wrote:
>> Hi All,
>>
>> I am using Squid Cache: Version 3.1.8, configured NTLM scheme using
>> samba, CLAM Av + ICAP and Squid guard.
>> All of the clients are Windows machine joined in domain. The browser
>> authenticates using ntlm scheme without pop up for password and
>> everything working fine.
>>
>> We have two issues:
>> 1.We are using many acls to allow and deny websites on the basis of the
>> ADS groups using wbinfo.pl. Time to time the users are reporting that
>> the authentication pop up occurs .
>> In cache.log we can find the following
>>
>> 2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 12:27:50| WARNING: 25 pending requests queued
>> 2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 12:56:48| WARNING: 25 pending requests queued
>> 2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 12:57:36| WARNING: 25 pending requests queued
>> 2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 14:00:03| WARNING: 25 pending requests queued
>> 2011/01/14 14:00:06| WARNING: Closing open FD 229
>> 2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy.
>>
>> We just increased it to 30 for ntlm and 30 for wbinfo(external) still it
>> occurs. Does ntlm scheme has any new behaviour?
>>
>
> Also, wbinfo has a maximum capacity limit of only ~256 lookups, shared
> across all helpers AFAIK. When this limit is exceeded the lookups get
> queued. When queue fills clients are rejected.
>
>> 2.When we browse a website and leave browser idle for 30 - 60 minutes ,
>> cannot display page occurs.
>
> strange.
>
>> In squid.conf we have used following values
>> half_closed_clients off
>> client_persistent_connections off
>> server_persistent_connections off
>> Whether squid has this as default behaviour?, suggest s suitable options
>> in squid conf to overcome it.
>
> Eek!
>
> Firstly, NTLM schemes authenticates a TCP connection, *not* a user.
>
> Secondly, NTLM scheme requires *three* HTTP full requests to be
> performed to authenticate and fetch an object.
>
> So... without persistent connections your Squid and its client
> browsers are consuming up to 3x the amount of traffic (and bandwidth)
> they normally would be.
>
>
> Amos
Received on Tue Jan 18 2011 - 03:44:09 MST