Re: [squid-users] squid 3.4. uses 100% cpu with ntlm_auth

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 07 Jan 2014 10:01:46 +1300

On 2014-01-07 01:52, Rietzler, Markus (RZF, SG 324 /
<RIETZLER_SOFTWARE>) wrote:
> hi,
> we have switched from squid 3.2.x to 3.4.2. in our environment we are
> using squid with the ntlm_auth helper to do NTLM user auth against
> windows DC.
> after switching to squid 3.4.1 squid uses nearly 100% cpu after a few
> minutes. with squid 3.2.x everythings worked well.
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 96 startup=24 idle=12
> auth_param ntlm keep_alive on
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5 startup=2 idle=1
> auth_param basic realm Internet-Zugriff [Benutzername/Kennwort aus BK]
> Nutzung des Internets nur zum Dienstgebrauch!
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
>
> we have compiled with smp-support but at the moment using squid only
> with one worker, Kerberos support is compiled in but not used in
> squid.conf
> no negotiate configs in squid. is this enough or should we try without
> negotiate support, could this influence and cause this troubles?
>
> Squid Cache: Version 3.4.2
> configure options: '--enable-auth-basic=MSNT,SMB'
> '--enable-auth-basic' '--enable-auth-ntlm'
> '--enable-auth-negotiate=kerberos' '--enable-delay-pools'
> '--enable-follow-x-forwarded-for' '--enable-removal-policies=lru,heap'
> '--with-filedescriptors=4096' '--with-winbind' '--with-async-io'
> '--enable-storeio=ufs,aufs,diskd,rock' '--disable-ident-lookups'
> '--prefix=/rzf/produkte/www/squid' '--enable-underscores'
> '--with-large-files'
> 'PKG_CONFIG_PATH=/opt/gnome/lib64/pkgconfig:/opt/gnome/share/pkgconfig'
> --enable-ltdl-convenience
>
> /usr/bin/ntlm_auth -V
> Version 3.6.3-0.39.1-3012-SUSE-CODE11-x86_64
>
>
>
> we do not use wbinfo_group we only need the username. all users are
> allowed to surf the internet, there are some "groups" but they are
> retrieved "external" as they also are used in ufdbguard to filter some
> categories. so only ntlm_auth for username is needed and used.
>
> we only have short testet squid 3.3., because there we had the
> problem, that the internet access to sites with ip-address didn't work
> or are routed the wrong way (but that is another story, not related to
> this one).
>
> so the problem is, that with squid 3.4.2 the cpu usage rises to 100%.
> after squid -k reconfigure the cpu-usage drops but then after a fiew
> minutes rises again to 100%.
>
> so where to look? I have tried debug_options 82,9 but now further
> information in cache.log

Section 82 is specific to the external_acl_typ helpers. Please use ALL,9
on the cache log trace if possible. It may be something unrelated to
auth (section 29) or helpers (section 84).

Possibly strace may be of some use at the point where CPU is loaded to
see what system calls are being used (if any).

Amos
Received on Mon Jan 06 2014 - 21:01:50 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 07 2014 - 12:00:04 MST