Search squid archive

Re: Connection error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi ,
I have increased ntlm scheme children's and even though i am getting error message in cache log All ntlmauthenticator processes are busy and wbinfo.pl is busy is stopped now.
I have attached my squid.conf please check it and share your views if anything is done wrong . 


#Authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 100
auth_param basic credentialsttl 8 hours
authenticate_ttl 4 hours
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
auth_param basic children 10
auth_param basic realm PrimalHealth care services
auth_param basic credentialsttl 8 hours

#group Authentication
external_acl_type groupauth children=50 %LOGIN /usr/local/squid31/libexec/wbinfo_group.pl 

#Acl for checking group
acl senior1 external groupauth senior
acl dept1 external groupauth dept
acl human1  external groupauth human
acl srgp1 external groupauth group
acl gl1 external groupauth leader
acl nm1  external groupauth normal
acl mancom1  external groupauth man

#Acl to allow and block websites
####
acl senior2 url_regex -i "/usr/local/squid31/policy/allow.txt"

acl senior3 dstdomain -i "/usr/local/squid31/policy/allow1.txt"
acl senior4 dstdomain -i "/usr/local/squid31/policy/allow3.txt"
####

acl dept2 url_regex -i "/usr/local/squid31/policy/allow4.txt"
acl dept3 dstdomain -i "/usr/local/squid31/policy/allow5.txt"
####

acl gl2 url_regex -i "/usr/local/squid31/policy/allowleader"
acl gl3 url_regex -i "/usr/local/squid31/policy/denyleader"
####
acl srgp2 url_regex -i "/usr/local/squid31/policy/allow6"
acl srgp3 dstdomain -i "/usr/local/squid31/policy/allow7"
####
acl nm2 url_regex -i "/usr/local/squid31/policy/allow8"
acl nm3 url_regex -i "/usr/local/squid31/policy/deny9
acl nm4 dstdomain -i "/usr/local/squid31/policy/deny9"
###
acl mancom2 url_regex -i "/usr/local/squid31/policy/allowgl2"
acl global url_regex -i "/usr/local/squid31/policy/allowgl1"
###
acl noblock src "/usr/local/squid31/policy/allowdirect"

#Http_access

http_access allow manager localhost
http_access deny manager

http_access allow noblock
http_access allow global
http_access allow senior1 senior3
http_access deny  senior1 senior4 all
http_access allow dept1 dept3
http_access allow gl1 gl2
http_access deny  gl1 gl3 all
http_access allow srgp1 srgp3
http_access deny  nm1 nm4 all
http_access allow nm1 nm2
http_access allow all

squidGuard
url_rewrite_program /usr/local/squidGuard/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf 
url_rewrite_children 50
url_rewrite_access allow !noblock !senior2 !dept2 !gl2 !gl3 !srgp2 !nm2 !nm3 !mancom2 !global 
url_rewrite_access deny all


Thanks
Senthil

Amos Jeffries wrote:

On 15/01/11 07:35, Senthilkumar wrote:

Hi All,

I am using Squid Cache: Version 3.1.8, configured NTLM scheme using
samba, CLAM Av + ICAP and Squid guard.
All of the clients are Windows machine joined in domain. The browser
authenticates using ntlm scheme without pop up for password and
everything working fine.

We have two issues:
1.We are using many acls to allow and deny websites on the basis of the
ADS groups using wbinfo.pl. Time to time the users are reporting that
the authentication pop up occurs .
In cache.log we can find the following

2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 12:27:50| WARNING: 25 pending requests queued
2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 12:56:48| WARNING: 25 pending requests queued
2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 12:57:36| WARNING: 25 pending requests queued
2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 14:00:03| WARNING: 25 pending requests queued
2011/01/14 14:00:06| WARNING: Closing open FD 229
2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy.

We just increased it to 30 for ntlm and 30 for wbinfo(external) still it
occurs. Does ntlm scheme has any new behaviour?
Also, wbinfo has a maximum capacity limit of only ~256 lookups, shared across all helpers AFAIK. When this limit is exceeded the lookups get queued. When queue fills clients are rejected. 


2.When we browse a website and leave browser idle for 30 - 60 minutes ,
cannot display page occurs.


strange.


In squid.conf we have used following values
half_closed_clients off
client_persistent_connections off
server_persistent_connections off
Whether squid has this as default behaviour?, suggest s suitable options
in squid conf to overcome it.


Eek!

Firstly, NTLM schemes authenticates a TCP connection, *not* a user.
Secondly, NTLM scheme requires *three* HTTP full requests to be performed to authenticate and fetch an object.
So... without persistent connections your Squid and its client browsers are consuming up to 3x the amount of traffic (and bandwidth) they normally would be. 


Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux