Search squid archive

SQUID - WINDBIND - very slow internet speed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Team.

I'm using SQUID 5.9 + windbindd 4.9.5, the authentication method is NTLM.

Every day, around 5pm, the internet speed becomes very slow, with users reporting that websites takes too long to open.

Also, the time that the issue occur is very strange, since is when most of the users are not in the office anymore

By doing a deep analyze on Proxy server, I manage to find this error that could be related with this issue.

Cache.log
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE

Windbindd.log
[2024/07/22 17:06:48.220216,  2] ../source3/winbindd/winbindd.c:1121(remove_client)
  final write to client failed: Broken pipe
[2024/07/22 17:06:48.220319,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
  winbindd: Exceeding 500 client connections, no idle connection found
[2024/07/22 17:06:48.261482,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
  winbindd: Exceeding 500 client connections, no idle connection found
[2024/07/22 17:06:48.261857,  2] ../source3/winbindd/winbindd.c:1121(remove_client)
  final write to client failed: Broken pipe
[2024/07/22 17:06:48.261926,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
  winbindd: Exceeding 500 client connections, no idle connection found
[2024/07/22 17:06:48.276216,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
  winbindd: Exceeding 500 client connections, no idle connection found
[2024/07/22 17:06:48.276507,  2] ../source3/winbindd/winbindd.c:1121(remove_client)
  final write to client failed: Broken pipe
[2024/07/22 17:06:48.276568,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
  winbindd: Exceeding 500 client connections, no idle connection found
[2024/07/22 17:09:02.512093,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
  INFO: Received PING message from server 10301 []
[2024/07/22 17:09:02.512159,  1] ../source3/lib/messages.c:131(ping_message)
  INFO: Received PING message from PID 10301 []
[2024/07/22 17:11:27.979681,  1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
  trustdom_list_done: Could not receive trusts for domain BANK
[2024/07/22 17:11:27.979756,  1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
  trustdom_list_done: Could not receive trusts for domain HLGROUP
[2024/07/22 17:12:02.612725,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
  INFO: Received PING message from server 4706 []
[2024/07/22 17:12:02.612794,  1] ../source3/lib/messages.c:131(ping_message)
  INFO: Received PING message from PID 4706 []
[2024/07/22 17:15:03.307322,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
  INFO: Received PING message from server 13541 []
[2024/07/22 17:15:03.307477,  1] ../source3/lib/messages.c:131(ping_message)
  INFO: Received PING message from PID 13541 []
[2024/07/22 17:18:02.603927,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
  INFO: Received PING message from server 27640 []
[2024/07/22 17:18:02.603983,  1] ../source3/lib/messages.c:131(ping_message)
  INFO: Received PING message from PID 27640 []

smb.conf
[global]
   netbios name               = ASP02
   log level                  = 2
   workgroup                  = mydom
   kerberos method            = dedicated keytab
   dedicated keytab file      = /etc/krb5.keytab
   realm                      = mydom.MY
   password server            = 10.150.1.62
   security                   = ads
   winbind enum groups        = No
   winbind enum users         = No
   idmap config * : backend   = tdb
   idmap config * : range     = 3000-7999
   idmap config mydom:backend = ad
   idmap config mydom:schema_mode = rfc2307
   idmap config mydom:range = 10000-999999
   idmap config mydom:unix_nss_info = yes
tls enabled = yes
ldap ssl = start tls
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem
client ldap sasl wrapping = plain
   client ntlmv2 auth         = Yes
   client lanman auth         = No
   client ldap sasl wrapping  = sign
   winbind normalize names    = No
   winbind separator          = /
   winbind use default domain = yes
   winbind nested groups      = Yes
   winbind reconnect delay    = 30
   winbind offline logon      = true
   winbind cache time         = 1800
   winbind refresh tickets    = true
   winbind refresh tickets    = true
   winbind max clients        = 500
   allow trusted domains      = Yes
   server signing             = auto
   client signing             = auto
   lm announce                = No
   ntlm auth                  = No
   lanman auth                = No
   preferred master           = No
   local master               = No
   wins support               = No
   encrypt passwords          = yes
   printing                   = bsd
   load printers              = no
   socket options             = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   min protocol               = SMB2
   client min protocol          = SMB2
   client max protocol          = SMB3
   load printers              = no
   printing                   = bsd
   printcap name              = /dev/null
   disable spoolss            = yes

Squid.conf

# kerberos_conf() LockActiveDirectoryToKerberos = 0

#
#KerbAuthMethod = 0/1 and NOT_NTLM = False
auth_param ntlm program /usr/bin/ntlm_auth  --domain=mydom.MY --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 500 startup=5 idle=1 concurrency=0 queue-size=2000 on-persistent-overload=ERR
auth_param ntlm keep_alive off

#
# ads groups OK
#Other settings
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds

acl authFailed src all
acl AUTHENTICATED proxy_auth REQUIRED
# END NTLM Parameters --------------------------------
# Basic authentication for other browser that did not supports NTLM
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 60 startup=2 idle=1
auth_param basic realm Active Directory Basic Identification
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds

# ldap_auth_ad() EnableAdLDAPAuth = 0 - SKIP

# ads groups OK



# --------------------------------------------------




_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux