Can you also send me the extract from cache.log for the same period ? Do you
use the -d debug flag with squid_kerb_auth ?
Markus
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:jmrkhi$42v$1_at_dough.gmane.org...
> Hi Simon,
>
> The config is standard and looks OK. Can you run strace (strace -f -F -o
> /tmp/squid_kerb_auth.strace -p <pid>) for 1-2 min against the process when
> it is busy and send me the output ?
>
> Markus
>
> "Simon Dwyer" <mail_at_simmyd.net> wrote in message
> news:1334876889.2408.45.camel_at_sdwyer.federalit.net...
>> Not sure how to give you the figures of req/sec but this morning when i
>> flicked it over there would have been max 15 people using it for normal
>> browsing.
>>
>> following is my krb5.conf incase i am missing something or doing
>> something wrong.
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = MULAWA.INTERNAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>>
>> [realms]
>>
>> MULAWA.INTERNAL = {
>> kdc = dc-hbt-01.mulawa.internal
>> kdc = dc-hbt-02.mualwa.internal
>> }
>>
>> [domain_realm]
>> mulawa.internal = MULAWA.internal
>> .mulawa.internal = MULAWA.internal
>>
>>
>>
>>
>> On Thu, 2012-04-19 at 23:36 +0100, Markus Moeller wrote:
>>> How many request/sec does your squid serve ? I would not expect it to be
>>> that much higher then with NTLM.
>>>
>>> Markus
>>>
>>> "Simon Dwyer" <mail_at_simmyd.net> wrote in message
>>> news:1334870417.2408.38.camel_at_sdwyer.federalit.net...
>>> > Moved my production over to kerberos this morning with the correct
>>> > export for kerberos and this is whats happening
>>> >
>>> > 20711 squid 20 0 32212 3748 1732 R 34.3 0.1 0:04.42
>>> > squid_kerb_auth
>>> > 20716 squid 20 0 32200 3748 1732 R 34.3 0.1 0:08.41
>>> > squid_kerb_auth
>>> > 20712 squid 20 0 30544 2196 1732 S 20.6 0.1 0:28.23
>>> > squid_kerb_auth
>>> >
>>> > They are just the top 3 processes.
>>> >
>>> > When i am not using kerberos authentication my cpu is hardly touched.
>>> >
>>> > Any insight would be awesome.
>>> >
>>> > Simon
>>> >
>>> > On Thu, 2012-04-19 at 16:03 +1000, Simon Dwyer wrote:
>>> >> Hi Markus,
>>> >>
>>> >> I have actually got this now setup on a second machine.
>>> >>
>>> >> When i put in the export the HTTP_23 does not appear anymore which i
>>> >> am
>>> >> expecting.
>>> >>
>>> >> I will double check this in production tomorrow morning and see how i
>>> >> go.
>>> >>
>>> >> Simon
>>> >>
>>> >> On Thu, 2012-04-19 at 15:49 +1000, Simon Dwyer wrote:
>>> >> > Hi Markus,
>>> >> >
>>> >> > I do have a
>>> >> >
>>> >> > -rw-------. 1 squid squid 92907 Apr 19 08:21 HTTP_23
>>> >> >
>>> >> > which may have been the last time i tried to run it this morning.
>>> >> >
>>> >> > I wont be able to try it again till tomorrow morning to see if it
>>> >> > modifies it
>>> >> >
>>> >> > Cheers,
>>> >> >
>>> >> > Simon
>>> >> >
>>> >> > On Thu, 2012-04-19 at 06:44 +0100, Markus Moeller wrote:
>>> >> > > Hi Simon,
>>> >> > >
>>> >> > > Unfortunately I do not have a production environment to give
>>> >> > > you
>>> >> > > average
>>> >> > > usage numbers.
>>> >> > >
>>> >> > > Can you check that you don't have a file in /var/tmp like (or
>>> >> > > at
>>> >> > > least is
>>> >> > > not modified):
>>> >> > >
>>> >> > > -rw------- 1 squid nogroup 603 Apr 7 01:13
>>> >> > > /var/tmp/opensuse12--HTTP-044_31
>>> >> > >
>>> >> > > This is the replay cache if not disabled.
>>> >> > >
>>> >> > > Markus
>>> >> > >
>>> >> > > "Simon Dwyer" <mail_at_simmyd.net> wrote in message
>>> >> > > news:1334813176.2408.29.camel_at_sdwyer.federalit.net...
>>> >> > > > Hi Markus,
>>> >> > > >
>>> >> > > > This is in the /etc/init.d/squid
>>> >> > > >
>>> >> > > > if [ -f /etc/sysconfig/squid ]; then
>>> >> > > > . /etc/sysconfig/squid
>>> >> > > > fi
>>> >> > > >
>>> >> > > > What should the cpu usage be of each squid_kerb_auth process
>>> >> > > > when
>>> >> > > > used?
>>> >> > > >
>>> >> > > > Cheers,
>>> >> > > >
>>> >> > > > Simon
>>> >> > > >
>>> >> > > > On Thu, 2012-04-19 at 06:15 +0100, Markus Moeller wrote:
>>> >> > > >> Are you sure /etc/sysconfig/squid is sourced by the squid
>>> >> > > >> startup
>>> >> > > >> script
>>> >> > > >> ?
>>> >> > > >> Markus
>>> >> > > >>
>>> >> > > >> "Simon Dwyer" <mail_at_simmyd.net> wrote in message
>>> >> > > >> news:1334789097.2408.17.camel_at_sdwyer.federalit.net...
>>> >> > > >> > Hi all,
>>> >> > > >> >
>>> >> > > >> > I have got kerberos working and moved it to production but
>>> >> > > >> > then
>>> >> > > >> > the
>>> >> > > >> > server started smashing its cpu. It seems that the
>>> >> > > >> > squid_kerb_auth
>>> >> > > >> > processes are killing the cpu.
>>> >> > > >> >
>>> >> > > >> > I have the following in my config.
>>> >> > > >> >
>>> >> > > >> > /etc/sysconfig/squid/
>>> >> > > >> >
>>> >> > > >> > KRB5RCACHETYPE=none
>>> >> > > >> > export KRB5RCACHETYPE
>>> >> > > >> >
>>> >> > > >> > /etc/squid/squid.conf
>>> >> > > >> >
>>> >> > > >> > auth_param negotiate program /usr/bin/negotiate_wrapper
>>> >> > > >> > --kerberos /usr/lib64/squid/squid_kerb_auth -i -r -s
>>> >> > > >> > GSS_C_NO_NAME
>>> >> > > >> > --ntlm
>>> >> > > >> > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
>>> >> > > >> > --domain=DOMAIN.EXAMPLE
>>> >> > > >> > auth_param negotiate children 30
>>> >> > > >> > auth_param negotiate keep_alive on
>>> >> > > >> >
>>> >> > > >> > From what i have read the first part should fix the high cpu
>>> >> > > >> > issue but
>>> >> > > >> > it doesnt seem to help.
>>> >> > > >> >
>>> >> > > >> > More the case i am having trouble getting that variable
>>> >> > > >> > active.
>>> >> > > >> >
>>> >> > > >> > Anyone else come up on this?
>>> >> > > >> >
>>> >> > > >> > Simon
>>> >> > > >> >
>>> >> > > >> >
>>> >> > > >>
>>> >> > > >>
>>> >> > > >
>>> >> > > >
>>> >> > > >
>>> >> > >
>>> >> > >
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>>
>>>
>>
>>
>>
>
>
>
Received on Fri Apr 20 2012 - 12:30:11 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 20 2012 - 12:00:04 MDT