_______________________________________ From: Markus Moeller [huaraz@xxxxxxxxxxxxxxxx] Sent: 27 September 2010 20:41 To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Re: Tweaking squid_kerb_auth > >"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message >news:C8C638C1.11799%nick.cairncross@xxxxxxxxxxxxxxxxxx >> >>Hi Nick, >> >> The only tweaking which might be required is for MIT based libraries on >>a >>high load system to disable the replay cache by setting >> >> KRB5RCACHETYPE=none >> export KRB5RCACHETYPE >> >>Markus >> >> >>"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message >>news:C8B7B33A.F61B%nick.cairncross@xxxxxxxxxxxxxxxxxx >>Hi, >> >>Running Kerberos auth ok for a while now and I wanted to look at >>possibilities of tweaking/optimising it. >> >>Current helper conf: >>auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s >>GSS_C_NO_NAME >>auth_param negotiate children 10 >>auth_param negotiate keep_alive on >> >>400 or so AD users. Squid 3 STABLE 20 at the moment. Not caching, just >>authenticate and go. >> >>What are the lists experiences of increasing children? Resources are not >>a >>problem as the machine is VM and I can always grant more. >> >>I remember reading something about Kerberos specific option(s) for squid >>Â >>something to do with re-using tickets but can't remember.could anyone >>shed >>some light on it (and their experiences). >> >>I will be looking at moving to 3.1. Have the extra startup and idle >>helped >>you etc? Have you got any recommendations you have found have helped? >> >>I'm interested to hear your experiences/suggestions. >> >>Thanks, >>Nick > >Hi Markus, >Thanks for your input - I wondered something: I know this question depends >on my AD infrastructure but how many requests/ps can the 10 Kerberos >children optimally handle? Could I increase it to increase the Kerberos >availability - say to 20 children? Or is that a bad idea? > I don't know the effect of increasing the number of children. I assume it is possible to get statistics about how many children are used and how often, but the experts have to answers this. >Also, forgive the obvious but how do I check which libraries I am using >again..? Depends on your OS. On a system with rpm you can do > ldd squid_kerb_auth linux-gate.so.1 => (0xffffe000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb77e6000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7747000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7720000) libdes425.so.3 => /usr/lib/libdes425.so.3 (0xb771b000) libcom_err.so.2 => /lib/libcom_err.so.2 (0xb76fa000) libresolv.so.2 => /lib/libresolv.so.2 (0xb76e4000) libc.so.6 => /lib/libc.so.6 (0xb7588000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb757f000) libdl.so.2 => /lib/libdl.so.2 (0xb757a000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7576000) /lib/ld-linux.so.2 (0xb7814000) > rpm -q -i -f /usr/lib/libgssapi_krb5.so.2 Name : krb5 Relocations: (not relocatable) Version : 1.6.3 Vendor: openSUSE Release : 132.8.1 Build Date: Fri 21 May 2010 01:13:07 BST Install Date: Sun 15 Aug 2010 21:59:01 BST Build Host: langsam Group : Productivity/Networking/Security Source RPM: krb5-1.6.3-132.8.1.src.rpm Size : 1499825 License: X11/MIT Signature : RSA/8, Fri 21 May 2010 01:14:32 BST, Key ID b88b2fd43dbdc284 Packager : http://bugs.opensuse.org URL : http://web.mit.edu/kerberos/www/ Summary : MIT Kerberos5 Implementation--Libraries Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of clear text passwords. Authors: -------- The MIT Kerberos Team Sam Hartman <hartmans@xxxxxxx> Ken Raeburn <raeburn@xxxxxxx> Tom Yu <tlyu@xxxxxxx> Distribution: openSUSE 11.1 >Thanks, >Nick > Markus, My rpm reports: rpm -q -i -f /usr/lib/libgssapi_krb5.so.2 Name : krb5-libs Relocations: (not relocatable) Version : 1.6.1 Vendor: Red Hat, Inc. Release : 36.el5_5.2 Build Date: Tue 30 Mar 2010 10:21:17 PM BST Install Date: Fri 30 Apr 2010 04:21:59 PM BST Build Host: hs20-bc2-3.build.redhat.com Group : System Environment/Libraries Source RPM: krb5-1.6.1-36.el5_5.2.src.rpm Size : 1430591 License: MIT, freely distributable. Signature : DSA/SHA1, Mon 05 Apr 2010 04:05:57 PM BST, Key ID 5326810137017186 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://web.mit.edu/kerberos/www/ Summary : The shared libraries used by Kerberos 5. Description : Kerberos is a network authentication system. The krb5-libs package contains the shared libraries needed by Kerberos 5. If you are using Kerberos, you need to install this package. === I think this indicates MIT libs? Also, I'm starting to see some issues relating to my users authenticating.. I'm going to post another mail to the list as I want to keep this separate to it. It's worrying as it's stopping users for their beloved net access.. Thanks Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
