Not sure how to give you the figures of req/sec but this morning when i flicked it over there would have been max 15 people using it for normal browsing. following is my krb5.conf incase i am missing something or doing something wrong. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MULAWA.INTERNAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 [realms] MULAWA.INTERNAL = { kdc = dc-hbt-01.mulawa.internal kdc = dc-hbt-02.mualwa.internal } [domain_realm] mulawa.internal = MULAWA.internal .mulawa.internal = MULAWA.internal On Thu, 2012-04-19 at 23:36 +0100, Markus Moeller wrote: > How many request/sec does your squid serve ? I would not expect it to be > that much higher then with NTLM. > > Markus > > "Simon Dwyer" <mail@xxxxxxxxxx> wrote in message > news:1334870417.2408.38.camel@xxxxxxxxxxxxxxxxxxxx... > > Moved my production over to kerberos this morning with the correct > > export for kerberos and this is whats happening > > > > 20711 squid 20 0 32212 3748 1732 R 34.3 0.1 0:04.42 > > squid_kerb_auth > > 20716 squid 20 0 32200 3748 1732 R 34.3 0.1 0:08.41 > > squid_kerb_auth > > 20712 squid 20 0 30544 2196 1732 S 20.6 0.1 0:28.23 > > squid_kerb_auth > > > > They are just the top 3 processes. > > > > When i am not using kerberos authentication my cpu is hardly touched. > > > > Any insight would be awesome. > > > > Simon > > > > On Thu, 2012-04-19 at 16:03 +1000, Simon Dwyer wrote: > >> Hi Markus, > >> > >> I have actually got this now setup on a second machine. > >> > >> When i put in the export the HTTP_23 does not appear anymore which i am > >> expecting. > >> > >> I will double check this in production tomorrow morning and see how i > >> go. > >> > >> Simon > >> > >> On Thu, 2012-04-19 at 15:49 +1000, Simon Dwyer wrote: > >> > Hi Markus, > >> > > >> > I do have a > >> > > >> > -rw-------. 1 squid squid 92907 Apr 19 08:21 HTTP_23 > >> > > >> > which may have been the last time i tried to run it this morning. > >> > > >> > I wont be able to try it again till tomorrow morning to see if it > >> > modifies it > >> > > >> > Cheers, > >> > > >> > Simon > >> > > >> > On Thu, 2012-04-19 at 06:44 +0100, Markus Moeller wrote: > >> > > Hi Simon, > >> > > > >> > > Unfortunately I do not have a production environment to give you > >> > > average > >> > > usage numbers. > >> > > > >> > > Can you check that you don't have a file in /var/tmp like (or at > >> > > least is > >> > > not modified): > >> > > > >> > > -rw------- 1 squid nogroup 603 Apr 7 01:13 > >> > > /var/tmp/opensuse12--HTTP-044_31 > >> > > > >> > > This is the replay cache if not disabled. > >> > > > >> > > Markus > >> > > > >> > > "Simon Dwyer" <mail@xxxxxxxxxx> wrote in message > >> > > news:1334813176.2408.29.camel@xxxxxxxxxxxxxxxxxxxx... > >> > > > Hi Markus, > >> > > > > >> > > > This is in the /etc/init.d/squid > >> > > > > >> > > > if [ -f /etc/sysconfig/squid ]; then > >> > > > . /etc/sysconfig/squid > >> > > > fi > >> > > > > >> > > > What should the cpu usage be of each squid_kerb_auth process when > >> > > > used? > >> > > > > >> > > > Cheers, > >> > > > > >> > > > Simon > >> > > > > >> > > > On Thu, 2012-04-19 at 06:15 +0100, Markus Moeller wrote: > >> > > >> Are you sure /etc/sysconfig/squid is sourced by the squid startup > >> > > >> script > >> > > >> ? > >> > > >> Markus > >> > > >> > >> > > >> "Simon Dwyer" <mail@xxxxxxxxxx> wrote in message > >> > > >> news:1334789097.2408.17.camel@xxxxxxxxxxxxxxxxxxxx... > >> > > >> > Hi all, > >> > > >> > > >> > > >> > I have got kerberos working and moved it to production but then > >> > > >> > the > >> > > >> > server started smashing its cpu. It seems that the > >> > > >> > squid_kerb_auth > >> > > >> > processes are killing the cpu. > >> > > >> > > >> > > >> > I have the following in my config. > >> > > >> > > >> > > >> > /etc/sysconfig/squid/ > >> > > >> > > >> > > >> > KRB5RCACHETYPE=none > >> > > >> > export KRB5RCACHETYPE > >> > > >> > > >> > > >> > /etc/squid/squid.conf > >> > > >> > > >> > > >> > auth_param negotiate program /usr/bin/negotiate_wrapper > >> > > >> > --kerberos /usr/lib64/squid/squid_kerb_auth -i -r -s > >> > > >> > GSS_C_NO_NAME > >> > > >> > --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > >> > > >> > --domain=DOMAIN.EXAMPLE > >> > > >> > auth_param negotiate children 30 > >> > > >> > auth_param negotiate keep_alive on > >> > > >> > > >> > > >> > From what i have read the first part should fix the high cpu > >> > > >> > issue but > >> > > >> > it doesnt seem to help. > >> > > >> > > >> > > >> > More the case i am having trouble getting that variable active. > >> > > >> > > >> > > >> > Anyone else come up on this? > >> > > >> > > >> > > >> > Simon > >> > > >> > > >> > > >> > > >> > > >> > >> > > >> > >> > > > > >> > > > > >> > > > > >> > > > >> > > > >> > > >> > > >> > >> > > > > > > > >