Hello, Andre,
Your logs say:
> winbindd: Exceeding 500 client connections, no idle connection found
So In addition to Francesco's suggestion, you can try to increase the "winbind max clients" parameter in your smb.conf
Your squid.conf record:
auth_param ntlm children 500 startup=5 idle=1
limits the number of ntlm-helpers, but in the SMP squid configuration this value is multiplied by the number of workers (although I did not notice the activation of multiprocessing support in your squid configuration).
Kind regards,
Andrey
ср, 24 июл. 2024 г. в 21:57, Francesco Chemolli <gkinkie@xxxxxxxxx>:
Hi Andre,
The chain of services here is:
browser <-> squid <-> ntlm_auth <-> winbindd <-> active directory
In order to bisect the problem, could you try using `wbinfo -a` on one
of the affected machiens to authenticate against Active Directory and
see if the performance is on the winbindd <-> AD side of the equation
on on the squid <-> ntlm_auth side?
On Wed, Jul 24, 2024 at 7:27 PM Andre Bolinhas
<andre.bolinhas@xxxxxxxxxxxxxx> wrote:
>
> Hi Team.
>
> I'm using SQUID 5.9 + windbindd 4.9.5, the authentication method is NTLM.
>
> Every day, around 5pm, the internet speed becomes very slow, with users reporting that websites takes too long to open.
>
> Also, the time that the issue occur is very strange, since is when most of the users are not in the office anymore
>
> By doing a deep analyze on Proxy server, I manage to find this error that could be related with this issue.
>
> Cache.log
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
>
> Windbindd.log
> [2024/07/22 17:06:48.220216, 2] ../source3/winbindd/winbindd.c:1121(remove_client)
> final write to client failed: Broken pipe
> [2024/07/22 17:06:48.220319, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.261482, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.261857, 2] ../source3/winbindd/winbindd.c:1121(remove_client)
> final write to client failed: Broken pipe
> [2024/07/22 17:06:48.261926, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.276216, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.276507, 2] ../source3/winbindd/winbindd.c:1121(remove_client)
> final write to client failed: Broken pipe
> [2024/07/22 17:06:48.276568, 0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:09:02.512093, 1] ../source4/lib/messaging/messaging.c:83(ping_message)
> INFO: Received PING message from server 10301 []
> [2024/07/22 17:09:02.512159, 1] ../source3/lib/messages.c:131(ping_message)
> INFO: Received PING message from PID 10301 []
> [2024/07/22 17:11:27.979681, 1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
> trustdom_list_done: Could not receive trusts for domain BANK
> [2024/07/22 17:11:27.979756, 1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
> trustdom_list_done: Could not receive trusts for domain HLGROUP
> [2024/07/22 17:12:02.612725, 1] ../source4/lib/messaging/messaging.c:83(ping_message)
> INFO: Received PING message from server 4706 []
> [2024/07/22 17:12:02.612794, 1] ../source3/lib/messages.c:131(ping_message)
> INFO: Received PING message from PID 4706 []
> [2024/07/22 17:15:03.307322, 1] ../source4/lib/messaging/messaging.c:83(ping_message)
> INFO: Received PING message from server 13541 []
> [2024/07/22 17:15:03.307477, 1] ../source3/lib/messages.c:131(ping_message)
> INFO: Received PING message from PID 13541 []
> [2024/07/22 17:18:02.603927, 1] ../source4/lib/messaging/messaging.c:83(ping_message)
> INFO: Received PING message from server 27640 []
> [2024/07/22 17:18:02.603983, 1] ../source3/lib/messages.c:131(ping_message)
> INFO: Received PING message from PID 27640 []
>
> smb.conf
> [global]
> netbios name = ASP02
> log level = 2
> workgroup = mydom
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/krb5.keytab
> realm = mydom.MY
> password server = 10.150.1.62
> security = ads
> winbind enum groups = No
> winbind enum users = No
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config mydom:backend = ad
> idmap config mydom:schema_mode = rfc2307
> idmap config mydom:range = 10000-999999
> idmap config mydom:unix_nss_info = yes
> tls enabled = yes
> ldap ssl = start tls
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> client ldap sasl wrapping = plain
> client ntlmv2 auth = Yes
> client lanman auth = No
> client ldap sasl wrapping = sign
> winbind normalize names = No
> winbind separator = /
> winbind use default domain = yes
> winbind nested groups = Yes
> winbind reconnect delay = 30
> winbind offline logon = true
> winbind cache time = 1800
> winbind refresh tickets = true
> winbind refresh tickets = true
> winbind max clients = 500
> allow trusted domains = Yes
> server signing = auto
> client signing = auto
> lm announce = No
> ntlm auth = No
> lanman auth = No
> preferred master = No
> local master = No
> wins support = No
> encrypt passwords = yes
> printing = bsd
> load printers = no
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> min protocol = SMB2
> client min protocol = SMB2
> client max protocol = SMB3
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> Squid.conf
>
> # kerberos_conf() LockActiveDirectoryToKerberos = 0
>
> #
> #KerbAuthMethod = 0/1 and NOT_NTLM = False
> auth_param ntlm program /usr/bin/ntlm_auth --domain=mydom.MY --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 500 startup=5 idle=1 concurrency=0 queue-size=2000 on-persistent-overload=ERR
> auth_param ntlm keep_alive off
>
> #
> # ads groups OK
> #Other settings
> auth_param basic credentialsttl 7200 seconds
> authenticate_ttl 3600 seconds
> authenticate_ip_ttl 1 seconds
> authenticate_cache_garbage_interval 3600 seconds
>
> acl authFailed src all
> acl AUTHENTICATED proxy_auth REQUIRED
> # END NTLM Parameters --------------------------------
> # Basic authentication for other browser that did not supports NTLM
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 60 startup=2 idle=1
> auth_param basic realm Active Directory Basic Identification
> auth_param basic credentialsttl 7200 seconds
> authenticate_ttl 3600 seconds
> authenticate_ip_ttl 1 seconds
> authenticate_cache_garbage_interval 3600 seconds
>
> # ldap_auth_ad() EnableAdLDAPAuth = 0 - SKIP
>
> # ads groups OK
>
>
>
> # --------------------------------------------------
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users
--
Francesco
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users