Re: [squid-users] loosing ntlm connection from Amos Jeffries on 2011-11-09 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 10 Nov 2011 15:27:40 +1300

On Wed, 09 Nov 2011 23:54:12 +0100, ftiaronsem wrote:
> Hello alltogether
>
> This one gives me a headache. I joined my ubuntu 10.04 LTS server
> running squid 2.7.STABLE7 and samba 3.4.7 to my windows 2008 domain
> without problems.
>
> Squid also started fine using
>
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> /usr/lib/squid/wbinfo_group.pl
>
> for authentication. However after some while, some users get DENIED
> messages. A few hours after that, squid crashes completly
> complaining:
>
> 2011/11/08 15:22:56| WARNING: up to 50 pending requests queued
> 2011/11/08 15:22:56| Consider increasing the number of
> ntlmauthenticator processes to at least 60 in your config file.
> FATAL: Too many queued ntlmauthenticator requests (51 on 10)
>

Read that message again.

Your Squid is dying if it has to handle 51 or more parallel TCP
connections being opened during the time period taken to do NTLM
handshake.

One client browser will open at least 8 connections for most popular
websites.

> Winbind logs show up a lot of stuff like
>
> [2011/11/08 15:19:06, 0]
> winbindd/winbindd_dual.c:186(async_request_timeout_handler)
> async_request_timeout_handler: child pid 25224 is not responding.
> Closing connection to it.
> [2011/11/08 15:19:06, 1] winbindd/winbindd_util.c:303(trustdom_recv)
> Could not receive trustdoms
>
> So i am tempted to conclude that this is a samba/winbind problem.
> However I am often getting similar errors in the winbind logs at
> other
> sites, which run smoothly.

It does seem to be problems in winbind. Regardless of whether it gets
bad enough to break Squid or not.

These will be making that handshake time period a longer. With that 50
limit getting closer every second of it.

>
> Do you have similar warnings in your error logs? Judgig by your
> experience, what would you think is the most likely fix? Upgrading
> samba?

Lookup what those winbind errors are about first. It may be config
changes or other software upgrades needed as well.

This might be it:
http://lists.samba.org/archive/samba-technical/2008-June/059504.html

Amos
Received on Thu Nov 10 2011 - 02:27:45 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 11 2011 - 12:00:02 MST