On Mon, 18 Oct 2010 00:50:28 +0000, "Tharanga Abeyseela \(RGA\)" <tharanga.abeyseela@xxxxxxxxxxxxxx> wrote: > Hi Guys, > > I have been running squid with AD authentication and security group > authent= ication for the last 6 months, and suddenly squid failed with the > following= message > > (squid): Too many queued ntlmauthenticator requests. Sign of a sudden burst of people logging in. Or that something caused a slightly higher than normal delay in the auth checks. Which multiplies out to fill up the Squid helpers. > > Iam using > > samba-3.4.8-59.fc12.x86_64 > samba-winbind-clients-3.4.8-59.fc12.x86_64 > samba-common-3.4.8-59.fc12.x86_64 > samba-client-3.4.8-59.fc12.x86_64 > samba-winbind-devel-3.4.8-59.fc12.x86_64 > samba-winbind-3.4.8-59.fc12.x86_64 > Squid Cache: Version 3.0.STABLE24 > configure options: '--prefix=3D/usr/local/squid' > '--enable-auth=3Dntlm,bas= ic' > '--enable-external-acl-helpers=3Dwbinfo_group' > > and also iam getting the following error > > [2010/10/18 10:28:58, 3] winbindd/winbindd_cm.c:1597(connection_ok) > connection_ok: Connection to for domain xxx is not connected > > (but if I use the net join command it says joined to domain) > > According to my squid report normally there are 700 people connecting to > th= e proxy, but now its says winbind maximum connection exceeds 200, but > iam = confusing about that. > > Appreciate your help on this. > > Best regards, > Tharanga Two basic design flaws in NTLM: - winbind cannot accept more than ~256 simultaneous stateful logins (ie NTLM) - NTLM requires every new TCP connection to perform a full 2-request handshake (ie minimum login delays of request+reply+request+reply in HTTP) There are two things which each reduce the problem a little. When combined they provide a great improvement in network speed and logins... - upgrade to 3.1.8. - upgrade to Negotiate/Kerberos from NTLM Amos
