On Mon, 18 Oct 2010 00:50:28 +0000, "Tharanga Abeyseela \(RGA\)"
<tharanga.abeyseela_at_rexelga.com.au> wrote:
> Hi Guys,
>
> I have been running squid with AD authentication and security group
> authent= ication for the last 6 months, and suddenly squid failed with
the
> following= message
>
> (squid): Too many queued ntlmauthenticator requests.
Sign of a sudden burst of people logging in. Or that something caused a
slightly higher than normal delay in the auth checks. Which multiplies out
to fill up the Squid helpers.
>
> Iam using
>
> samba-3.4.8-59.fc12.x86_64
> samba-winbind-clients-3.4.8-59.fc12.x86_64
> samba-common-3.4.8-59.fc12.x86_64
> samba-client-3.4.8-59.fc12.x86_64
> samba-winbind-devel-3.4.8-59.fc12.x86_64
> samba-winbind-3.4.8-59.fc12.x86_64
> Squid Cache: Version 3.0.STABLE24
> configure options: '--prefix=3D/usr/local/squid'
> '--enable-auth=3Dntlm,bas= ic'
> '--enable-external-acl-helpers=3Dwbinfo_group'
>
> and also iam getting the following error
>
> [2010/10/18 10:28:58, 3] winbindd/winbindd_cm.c:1597(connection_ok)
> connection_ok: Connection to for domain xxx is not connected
>
> (but if I use the net join command it says joined to domain)
>
> According to my squid report normally there are 700 people connecting to
> th= e proxy, but now its says winbind maximum connection exceeds 200,
but
> iam = confusing about that.
>
> Appreciate your help on this.
>
> Best regards,
> Tharanga
Two basic design flaws in NTLM:
- winbind cannot accept more than ~256 simultaneous stateful logins (ie
NTLM)
- NTLM requires every new TCP connection to perform a full 2-request
handshake
(ie minimum login delays of request+reply+request+reply in HTTP)
There are two things which each reduce the problem a little. When combined
they provide a great improvement in network speed and logins...
- upgrade to 3.1.8.
- upgrade to Negotiate/Kerberos from NTLM
Amos
Received on Mon Oct 18 2010 - 01:11:15 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 19 2010 - 12:00:02 MDT