Hi, I tried to start squid in the offpeak time there were only 35 users, but still its says Too many queued ntlmauthenticator requests, and terminate the squid process. My domain is connected to several other domains (trusted domains) can it cause this issue ? Following are the error messages on log files. Squid Parent: child process 15206 exited with status 1 Oct 18 19:47:29 rapsydprox2 squid[15204]: Squid Parent: child process 20806 exited due to signal 15 2010/10/18 19:47:10, 2] winbindd/winbindd.c:872(remove_client) final write to client failed: Broken pipe [2010/10/18 19:47:10, 0] winbindd/winbindd.c:954(winbindd_listen_fde_handler) winbindd: Exceeding 200 client connections, no idle connection found [2010/10/18 19:47:21, 0] winbindd/winbindd.c:954(winbindd_listen_fde_handler) winbindd: Exceeding 200 client connections, no idle connection found [2010/10/18 19:47:21, 2] winbindd/winbindd.c:872(remove_client) final write to client failed: Broken pipe 5 Oct 18 16:58:37 rapsydprox2 (squid): Too many queued ntlmauthenticator requests 976 Oct 18 17:00:23 rapsydprox2 (ntlm_auth): [2010/10/18 17:00:23, 0] utils/ntlm_au 977 Oct 18 17:00:23 rapsydprox2 (ntlm_auth): could not obtain winbind domain name! Following is my smb.conf workgroup = zzz realm = zzz.COM password server = * #netbios name = zzz server string = Samba file and print server security = ADS encrypt passwords = yes log level = 2 log file = /var/log/samba/%m max log size = 50 winbind separator = \. #printcap name = cups #printing = cups ##new idmap cache time = 1800 idmap negative cache time = 300 winbind cache time = 1800 ##end new idmap uid = 15000-20000 idmap gid = 15000-20000 #winbind use default domain = yes nt acl support = yes map acl inherit = yes winbind enum users = yes winbind enum groups = yes #client ntlmv2 auth = yes template homedir = /home/%D/%U template shell = /bin/bash ldap passwd sync = yes Appreciate your help on this. Thanks, Tharanga -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, 18 October 2010 12:11 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Too many queued ntlmauthenticator requests and squid failed On Mon, 18 Oct 2010 00:50:28 +0000, "Tharanga Abeyseela \(RGA\)" <tharanga.abeyseela@xxxxxxxxxxxxxx> wrote: > Hi Guys, > > I have been running squid with AD authentication and security group > authent= ication for the last 6 months, and suddenly squid failed with the > following= message > > (squid): Too many queued ntlmauthenticator requests. Sign of a sudden burst of people logging in. Or that something caused a slightly higher than normal delay in the auth checks. Which multiplies out to fill up the Squid helpers. > > Iam using > > samba-3.4.8-59.fc12.x86_64 > samba-winbind-clients-3.4.8-59.fc12.x86_64 > samba-common-3.4.8-59.fc12.x86_64 > samba-client-3.4.8-59.fc12.x86_64 > samba-winbind-devel-3.4.8-59.fc12.x86_64 > samba-winbind-3.4.8-59.fc12.x86_64 > Squid Cache: Version 3.0.STABLE24 > configure options: '--prefix=3D/usr/local/squid' > '--enable-auth=3Dntlm,bas= ic' > '--enable-external-acl-helpers=3Dwbinfo_group' > > and also iam getting the following error > > [2010/10/18 10:28:58, 3] winbindd/winbindd_cm.c:1597(connection_ok) > connection_ok: Connection to for domain xxx is not connected > > (but if I use the net join command it says joined to domain) > > According to my squid report normally there are 700 people connecting to > th= e proxy, but now its says winbind maximum connection exceeds 200, but > iam = confusing about that. > > Appreciate your help on this. > > Best regards, > Tharanga Two basic design flaws in NTLM: - winbind cannot accept more than ~256 simultaneous stateful logins (ie NTLM) - NTLM requires every new TCP connection to perform a full 2-request handshake (ie minimum login delays of request+reply+request+reply in HTTP) There are two things which each reduce the problem a little. When combined they provide a great improvement in network speed and logins... - upgrade to 3.1.8. - upgrade to Negotiate/Kerberos from NTLM Amos
