On 2024-07-26 03:31, Francesco Chemolli wrote:
Have you considered
https://wiki.squid-cache.org/Features/HelperMultiplexer
Just in case you do not know how to find the actual helper program
described on the above page, it is installed as libexec/helper-mux. That
helper has a manual page.
HTH,
Alex.
On Fri, 26 Jul 2024 at 8:23 AM, Andrey K wrote:
Hello, Andre,
> How to know if the helper supports concurrent requests?
You are using /usr/bin/ntlm_auth, and, as far as I know, it does not
support concurrency. But I do not know other ntlm-authentication
helpers.
> winbindd: Exceeding 500 client connections, no idle connection found
> I will increase this value to check if help to settle the issue
I think it will only hide the problem.
In my opinion, it is betterto followthe Alex's adviceandreducethe
numberof ntlm-helpers. It should prevent exceeding the maximum
winbind client connections error messages.
The actual number of required ntlm-helpers can be obtained during
the working day.
ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l
You can divide this number by the number of workers and add some
spare ones.
When the problem appears again, you can follow the advice of Francesco:
> In order to bisect the problem, could you try using `wbinfo -a` on one
> of the affected machiens to authenticate against Active Directory and
>see if the performance is on the winbindd <-> AD side of the equation
> on on the squid <-> ntlm_auth side?
sudo wbinfo -t
sudo wbinfo -a "DOMAIN\username%password"
Kind regards,
Ankor.
чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas
<andre.bolinhas@xxxxxxxxxxxxxx <mailto:andre.bolinhas@xxxxxxxxxxxxxx>>:
__
Hi
We have 5 squid workers, we need to handle around 8k concurrent
users.
Based on this, what's the auth_param values that you recommend
for children, idle and startup?
How to know if the helper supports concurrent requests?
winbindd: Exceeding 500 client connections, no idle connection
found
I will increase this value to check if help to settle the issue
On 25/07/2024 14:28, Alex Rousskov wrote:
On 2024-07-23 19:20, Andre Bolinhas wrote:
winbindd: Exceeding 500 client connections, no idle
connection found
auth_param ntlm children 500 ...
I know virtually nothing about WINDBIND and the authentication
helper you are using, but configuring Squid to have 500 helper
processes is usually a mistake, even with a single Squid
worker. YMMV, but I would try to use a lot fewer helpers
(e.g., 10) and increase that number only if such an increase
actually improves things.
If possible, use a helper that supports concurrent requests.
If your Squid is not competing for resources with other
applications on the server, then I also recommend keeping a
_constant_ number of helper processes (instead of asking Squid
to start many new helper processes at the worse possible time
-- when the load on Squid increases). To do that, make startup
and idle parameters the same as the maximum number of children.
HTH,
Alex.
P.S. The credit for highlighting the correlation between
winbindd errors and "auth_param ntlm children 500" goes to
Andrey K.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
https://lists.squid-cache.org/listinfo/squid-users
<https://lists.squid-cache.org/listinfo/squid-users>
____
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
