On 19.04.2012 10:44, Simon Dwyer wrote:
Hi all,
I have got kerberos working and moved it to production but then the
server started smashing its cpu. It seems that the squid_kerb_auth
processes are killing the cpu.
I have the following in my config.
/etc/sysconfig/squid/
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
/etc/squid/squid.conf
auth_param negotiate program /usr/bin/negotiate_wrapper
--kerberos /usr/lib64/squid/squid_kerb_auth -i -r -s GSS_C_NO_NAME
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=DOMAIN.EXAMPLE
auth_param negotiate children 30
Note that this is 30 wrapper helpers + 30 Kerberos helpers + 30 NTLM
helpers.
auth_param negotiate keep_alive on
From what i have read the first part should fix the high cpu issue
but
it doesnt seem to help.
More the case i am having trouble getting that variable active.
Anyone else come up on this?
Simon
Any hint of what the little details such as...
What version of Squid and squid_kerb_auth are you using?
Are your client actually using Negotiate/Kerberos? or just sending
Negotiate/NTLM, which is no benefit over plain old NTLM.
Do you have client_persistent_connections and
server_persistent_connections both enabled?
How are you using authentication in your config access controls? order
is important, any requests you can reject quickly without even doing
authentication helps.
Amos
