On Thu, 2012-04-19 at 12:15 +1200, Amos Jeffries wrote: > On 19.04.2012 10:44, Simon Dwyer wrote: > > Hi all, > > > > I have got kerberos working and moved it to production but then the > > server started smashing its cpu. It seems that the squid_kerb_auth > > processes are killing the cpu. > > > > I have the following in my config. > > > > /etc/sysconfig/squid/ > > > > KRB5RCACHETYPE=none > > export KRB5RCACHETYPE > > > > /etc/squid/squid.conf > > > > auth_param negotiate program /usr/bin/negotiate_wrapper > > --kerberos /usr/lib64/squid/squid_kerb_auth -i -r -s GSS_C_NO_NAME > > --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > --domain=DOMAIN.EXAMPLE > > auth_param negotiate children 30 > > Note that this is 30 wrapper helpers + 30 Kerberos helpers + 30 NTLM > helpers. > > > > auth_param negotiate keep_alive on > > > > From what i have read the first part should fix the high cpu issue > > but > > it doesnt seem to help. > > > > More the case i am having trouble getting that variable active. > > > > Anyone else come up on this? > > > > Simon > > > Any hint of what the little details such as... > > What version of Squid and squid_kerb_auth are you using? squid 3.1.10 squid_kerb_auth-1.0.7 > > Are your client actually using Negotiate/Kerberos? or just sending > Negotiate/NTLM, which is no benefit over plain old NTLM. > I am using negotiate_wrapper and can see it being authenticated with squid_kerb_auth. > Do you have client_persistent_connections and > server_persistent_connections both enabled? > i do not have these in my config as i assumed they were on by default? > How are you using authentication in your config access controls? order > is important, any requests you can reject quickly without even doing > authentication helps. I am only using authentication in my config once to make sure they are authenticated and thats it. Thanks Amos > > Amos
