Re: [squid-users] Strange behaviour of NTLM and "helperStatefulDefer: None available"

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 14 Jan 2003 17:34:57 +0100

tis 2003-01-14 klockan 14.47 skrev Deac Nkisetlein:

> In cache.log I see the request three times. The first two times it is denied
> (407), the
> third time it returns 200.

Normal. How NTLM works (simplified, the first request on each new TCP
connection is repeated three times, and only the final third time has
all the needed information for authentication).

> But there are two more problems. First, if a page loads, for every
> element in this page (for instance every .gif from a page), ntlm performs a
> single authentication on our windows domain controller. This might be ok for
>
> testing purposes, but Iam afraid of performance issues, if hundreds of users
> accessing.

Actually it does not in most cases. At least not unless you have
disabled the use of persistent connections.

> The second - and the biggest - problem is when hitting reload very often, or
> accessing
> some pages quite fast. Squid produces a core-dump, exiting abnormally.
>
> cache.log says:
>
> FATAL: Too many queued ntlmauthenticator requests

Ouch.. but known. Incidentally I am working on a Squid internal
framework which when completed will eleminate this for at least the
winbind ntlm helper (the SMB ntlm helper is too braindead to do much
about..)

> My explanation for this so far is the following: When squid performs a login
> procedure
> for every object requested from web, it is by far not fast enough. It queues
> up some
> requests, finally dying when it has queued to much.

The problem is the NTLM authentication and how Squid talks to it's ntlm
helper program.

Each new TCP connection initiated by your browser will require a new
NTLM handshake. During this handshake a NTLM helper will be blocked for
exclusive use by that TCP connection, and you can at most configure 32
helpers (number of children) and Squid does only allow a queue of
requests at most 2 * the number of helpers waiting for a ntlm helper to
become available. So what this means is that there can at most be 64
NTLM negotiations at a time (or maybe 96, not entirely sure).

Regards
Henrik
Received on Tue Jan 14 2003 - 09:35:04 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:40 MST