Re: [squid-users] squid_kerb_auth High CPU load.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 19 Apr 2012 12:15:16 +1200

On 19.04.2012 10:44, Simon Dwyer wrote:
> Hi all,
>
> I have got kerberos working and moved it to production but then the
> server started smashing its cpu. It seems that the squid_kerb_auth
> processes are killing the cpu.
>
> I have the following in my config.
>
> /etc/sysconfig/squid/
>
> KRB5RCACHETYPE=none
> export KRB5RCACHETYPE
>
> /etc/squid/squid.conf
>
> auth_param negotiate program /usr/bin/negotiate_wrapper
> --kerberos /usr/lib64/squid/squid_kerb_auth -i -r -s GSS_C_NO_NAME
> --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=DOMAIN.EXAMPLE
> auth_param negotiate children 30

Note that this is 30 wrapper helpers + 30 Kerberos helpers + 30 NTLM
helpers.

> auth_param negotiate keep_alive on
>
> From what i have read the first part should fix the high cpu issue
> but
> it doesnt seem to help.
>
> More the case i am having trouble getting that variable active.
>
> Anyone else come up on this?
>
> Simon

Any hint of what the little details such as...

  What version of Squid and squid_kerb_auth are you using?

  Are your client actually using Negotiate/Kerberos? or just sending
Negotiate/NTLM, which is no benefit over plain old NTLM.

  Do you have client_persistent_connections and
server_persistent_connections both enabled?

  How are you using authentication in your config access controls? order
is important, any requests you can reject quickly without even doing
authentication helps.

Amos
Received on Thu Apr 19 2012 - 00:15:20 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 19 2012 - 12:00:03 MDT