Hello, Andre,
> How to know if the helper supports concurrent requests?
You are using /usr/bin/ntlm_auth, and, as far as I know, it does not support concurrency. But I do not know other ntlm-authentication helpers.
> winbindd: Exceeding 500 client connections, no idle connection found
> I will increase this value to check if help to settle the issue
I think it will only hide the problem.
In my opinion, it is better to follow the Alex's advice and reduce the number of ntlm-helpers. It should prevent exceeding the maximum winbind client connections error messages.
The actual number of required ntlm-helpers can be obtained during the working day.
ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l
You can divide this number by the number of workers and add some spare ones.
When the problem appears again, you can follow the advice of Francesco:
> In order to bisect the problem, could you try using `wbinfo -a` on one
> of the affected machiens to authenticate against Active Directory and
>see if the performance is on the winbindd <-> AD side of the equation
> on on the squid <-> ntlm_auth side?
> of the affected machiens to authenticate against Active Directory and
>see if the performance is on the winbindd <-> AD side of the equation
> on on the squid <-> ntlm_auth side?
sudo wbinfo -t
sudo wbinfo -a "DOMAIN\username%password"
Kind regards,
Ankor.
чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>:
Hi
We have 5 squid workers, we need to handle around 8k concurrent users.Based on this, what's the auth_param values that you recommend for children, idle and startup?
How to know if the helper supports concurrent requests?
winbindd: Exceeding 500 client connections, no idle connection foundI will increase this value to check if help to settle the issue
On 25/07/2024 14:28, Alex Rousskov wrote:
On 2024-07-23 19:20, Andre Bolinhas wrote:
winbindd: Exceeding 500 client connections, no idle connection found
auth_param ntlm children 500 ...
I know virtually nothing about WINDBIND and the authentication helper you are using, but configuring Squid to have 500 helper processes is usually a mistake, even with a single Squid worker. YMMV, but I would try to use a lot fewer helpers (e.g., 10) and increase that number only if such an increase actually improves things.
If possible, use a helper that supports concurrent requests.
If your Squid is not competing for resources with other applications on the server, then I also recommend keeping a _constant_ number of helper processes (instead of asking Squid to start many new helper processes at the worse possible time -- when the load on Squid increases). To do that, make startup and idle parameters the same as the maximum number of children.
HTH,
Alex.
P.S. The credit for highlighting the correlation between winbindd errors and "auth_param ntlm children 500" goes to Andrey K.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users