Search squid archive

Re: SQUID - WINDBIND - very slow internet speed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, Andre,

Your logs say: 
> winbindd: Exceeding 500 client connections, no idle connection found

So In addition to Francesco's suggestion, you can try to increase the "winbind max clients" parameter in your smb.conf

Your squid.conf record:
auth_param ntlm children 500 startup=5 idle=1 
limits the number of ntlm-helpers, but in the SMP squid configuration this value is multiplied by the number of workers (although I did not notice the activation of multiprocessing support in your squid configuration).

Kind regards,
     Andrey





ср, 24 июл. 2024 г. в 21:57, Francesco Chemolli <gkinkie@xxxxxxxxx>:
Hi Andre,

The chain of services here is:

browser <-> squid <-> ntlm_auth <-> winbindd <-> active directory

In order to bisect the problem, could you try using `wbinfo -a` on one
of the affected machiens to authenticate against Active Directory and
see if the performance is on the winbindd <-> AD side of the equation
on on the squid <-> ntlm_auth side?

On Wed, Jul 24, 2024 at 7:27 PM Andre Bolinhas
<andre.bolinhas@xxxxxxxxxxxxxx> wrote:
>
> Hi Team.
>
> I'm using SQUID 5.9 + windbindd 4.9.5, the authentication method is NTLM.
>
> Every day, around 5pm, the internet speed becomes very slow, with users reporting that websites takes too long to open.
>
> Also, the time that the issue occur is very strange, since is when most of the users are not in the office anymore
>
> By doing a deep analyze on Proxy server, I manage to find this error that could be related with this issue.
>
> Cache.log
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
> GENSEC login failed: NT_STATUS_LOGON_FAILURE
>
> Windbindd.log
> [2024/07/22 17:06:48.220216,  2] ../source3/winbindd/winbindd.c:1121(remove_client)
>   final write to client failed: Broken pipe
> [2024/07/22 17:06:48.220319,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
>   winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.261482,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
>   winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.261857,  2] ../source3/winbindd/winbindd.c:1121(remove_client)
>   final write to client failed: Broken pipe
> [2024/07/22 17:06:48.261926,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
>   winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.276216,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
>   winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:06:48.276507,  2] ../source3/winbindd/winbindd.c:1121(remove_client)
>   final write to client failed: Broken pipe
> [2024/07/22 17:06:48.276568,  0] ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
>   winbindd: Exceeding 500 client connections, no idle connection found
> [2024/07/22 17:09:02.512093,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
>   INFO: Received PING message from server 10301 []
> [2024/07/22 17:09:02.512159,  1] ../source3/lib/messages.c:131(ping_message)
>   INFO: Received PING message from PID 10301 []
> [2024/07/22 17:11:27.979681,  1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
>   trustdom_list_done: Could not receive trusts for domain BANK
> [2024/07/22 17:11:27.979756,  1] ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
>   trustdom_list_done: Could not receive trusts for domain HLGROUP
> [2024/07/22 17:12:02.612725,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
>   INFO: Received PING message from server 4706 []
> [2024/07/22 17:12:02.612794,  1] ../source3/lib/messages.c:131(ping_message)
>   INFO: Received PING message from PID 4706 []
> [2024/07/22 17:15:03.307322,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
>   INFO: Received PING message from server 13541 []
> [2024/07/22 17:15:03.307477,  1] ../source3/lib/messages.c:131(ping_message)
>   INFO: Received PING message from PID 13541 []
> [2024/07/22 17:18:02.603927,  1] ../source4/lib/messaging/messaging.c:83(ping_message)
>   INFO: Received PING message from server 27640 []
> [2024/07/22 17:18:02.603983,  1] ../source3/lib/messages.c:131(ping_message)
>   INFO: Received PING message from PID 27640 []
>
> smb.conf
> [global]
>    netbios name               = ASP02
>    log level                  = 2
>    workgroup                  = mydom
>    kerberos method            = dedicated keytab
>    dedicated keytab file      = /etc/krb5.keytab
>    realm                      = mydom.MY
>    password server            = 10.150.1.62
>    security                   = ads
>    winbind enum groups        = No
>    winbind enum users         = No
>    idmap config * : backend   = tdb
>    idmap config * : range     = 3000-7999
>    idmap config mydom:backend = ad
>    idmap config mydom:schema_mode = rfc2307
>    idmap config mydom:range = 10000-999999
>    idmap config mydom:unix_nss_info = yes
> tls enabled = yes
> ldap ssl = start tls
> tls keyfile  = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile   = tls/ca.pem
> client ldap sasl wrapping = plain
>    client ntlmv2 auth         = Yes
>    client lanman auth         = No
>    client ldap sasl wrapping  = sign
>    winbind normalize names    = No
>    winbind separator          = /
>    winbind use default domain = yes
>    winbind nested groups      = Yes
>    winbind reconnect delay    = 30
>    winbind offline logon      = true
>    winbind cache time         = 1800
>    winbind refresh tickets    = true
>    winbind refresh tickets    = true
>    winbind max clients        = 500
>    allow trusted domains      = Yes
>    server signing             = auto
>    client signing             = auto
>    lm announce                = No
>    ntlm auth                  = No
>    lanman auth                = No
>    preferred master           = No
>    local master               = No
>    wins support               = No
>    encrypt passwords          = yes
>    printing                   = bsd
>    load printers              = no
>    socket options             = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    min protocol               = SMB2
>    client min protocol          = SMB2
>    client max protocol          = SMB3
>    load printers              = no
>    printing                   = bsd
>    printcap name              = /dev/null
>    disable spoolss            = yes
>
> Squid.conf
>
> # kerberos_conf() LockActiveDirectoryToKerberos = 0
>
> #
> #KerbAuthMethod = 0/1 and NOT_NTLM = False
> auth_param ntlm program /usr/bin/ntlm_auth  --domain=mydom.MY --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 500 startup=5 idle=1 concurrency=0 queue-size=2000 on-persistent-overload=ERR
> auth_param ntlm keep_alive off
>
> #
> # ads groups OK
> #Other settings
> auth_param basic credentialsttl 7200 seconds
> authenticate_ttl 3600 seconds
> authenticate_ip_ttl 1 seconds
> authenticate_cache_garbage_interval 3600 seconds
>
> acl authFailed src all
> acl AUTHENTICATED proxy_auth REQUIRED
> # END NTLM Parameters --------------------------------
> # Basic authentication for other browser that did not supports NTLM
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 60 startup=2 idle=1
> auth_param basic realm Active Directory Basic Identification
> auth_param basic credentialsttl 7200 seconds
> authenticate_ttl 3600 seconds
> authenticate_ip_ttl 1 seconds
> authenticate_cache_garbage_interval 3600 seconds
>
> # ldap_auth_ad() EnableAdLDAPAuth = 0 - SKIP
>
> # ads groups OK
>
>
>
> # --------------------------------------------------
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users



--
    Francesco
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux