Re: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
Henrik Nordstrom wrote: On ons, 2008-11-19 at 19:39 +0100, [EMAIL PROTECTED] wrote: auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. I mentioned authenticate_ttl as a general possibility to be looked at. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) something I tried last week to see if it could solve my problem. The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth indeed seems also working, if no valid credential 'cache access denied' otherwise goes to internet. as announced in my previous mails, I migrated all my proxies servers last night. this ran fine and the packages are running well. I updated access ntlm rule by removing 'all' at the end of the line but this does not chnage anything except it happened at most 37 times on one of of the proxies. I got this more than 100 times a day before. so can I still try something else ? does it change the internal squid behaviour by removing all ?? Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
On ons, 2008-11-19 at 19:39 +0100, [EMAIL PROTECTED] wrote: auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. okay but I already get 128 ntlm_auth processes running .. is this enough for a load of 250 req/sec ?? on the other hand, and this is also the meaning of this conversation, it seems this popup box not always come with some load issues but can happen for other reasons I totally ignore .. and the way to troubleshoot this really ? Regards Henrik - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
On ons, 2008-11-19 at 20:29 +0100, [EMAIL PROTECTED] wrote: okay but I already get 128 ntlm_auth processes running .. is this enough for a load of 250 req/sec ?? Can't say. Do you get any relevant warnings in cache.log? And what does cachemgr say about the helper usage? on the other hand, and this is also the meaning of this conversation, it seems this popup box not always come with some load issues but can happen for other reasons I totally ignore .. and the way to troubleshoot this really ? wireshark is a good tool for troubleshooting these issues, combined with increased logging in Squid. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) something I tried last week to see if it could solve my problem. The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth indeed seems also working, if no valid credential 'cache access denied' otherwise goes to internet. does it change the internal squid behaviour by removing all ?? Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? For the access controls there are a number of ways they can trigger authentication popups. %LOGIN passed to external helper, proxy_auth REQUIRED acl, and an auth ACL being last on an http_access line. if I good understand you get requested config line above .. Also, interception setups hacked with bad flags to (wrongly) permit auth can appear working but cause popups on every object request and also leak clients credentials to all remote sites that use auth. what kind of interception are you speaking about ?? Amos - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
Re: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
[EMAIL PROTECTED] wrote: hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. --- samba-3.0.32.orig/source/include/local.h2008-08-25 23:09:21.0 +0200 +++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000 +0200 @@ -222,7 +222,7 @@ #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) /* Max number of simultaneous winbindd socket connections. */ -#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 +#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024 /* Buffer size to use when printing backtraces */ #define BACKTRACE_STACK_SIZE 64 I currently do not use 'auth_param ntlm keep_alive on' because I do not know if it will not cause some side effects for web browser used in our company (ie/windows xp sp2). I already use some parameters today like these ones below ... set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set rlim_fd_max=8192 arp_cleanup_interval=6 ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip6_forward_src_routed=0 ip_ignore_redirect=1 ip6_ignore_redirect=1 ip_ire_flush_interval=6 ip_ire_arp_interval=6 ip_respond_to_address_mask_broadcast=0 ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 ip_respond_to_timestamp=0 ip_respond_to_timestamp_broadcast=0 ip_send_redirects=0 ip6_send_redirects=0 ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 ip_def_ttl=255 tcp_conn_req_max_q0=4096 tcp_conn_req_max_q=1024 tcp_rev_src_routes=0 tcp_extra_priv_ports_add=6112 udp_extra_priv_ports_add= tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 after some investigations on my servers, I notice we often get lots of connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of connections in status ESTABLISHED. If I have a look on squid statistics these are some files giving an idea on the load handled by our machines .. SUNW,Sun-Fire-V210 2048 Memory size bge0 100-fdx (or) 1000-fdx client_http.requests = 242/sec server.http.requests = 163/sec Number of clients accessing cache: 1486 cpu_usage = 45.065136% /dev/dsk/c0t0d0s520655529 15015444 5433530 74% /var/cache0 /dev/dsk/c0t1d0s520655529 14971972 5477002 74% /var/cache1 1746418 Store Entries (some) 1265 ESTABLISHED tcp connections (at high load) (some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections so these servers are relatively heavy loaded and this is the reason why I think I still can tune some tcp/udp values in order to optimize and reduce the cpu usage on my servers. I already found some ideas on the net like these values below but this is not guraranteed .. ndd -set /dev/tcp tcp_time_wait_interval 6 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500 ndd -set /dev/tcp tcp_keepalive_interval 15000 many thks to help me because we are really in trouble and I am sure we can solve these little problems by setting/tuning some parameters. I made some further investigations and found maybe some relevant issues .. * first of all, seems the tcp queues are not large enough with some 173201 dropped connections # netstat -sP tcp | fgrep -i listendrop tcpListenDrop =173201 tcpListenDropQ0 = 0 * seems we do not get any connection problems with our servers and l2 switches ... only 280 input errors on 583 days uptime. # netstat -i Name Mtu Net/Dest AddressIpkts Ierrs Opkts Oerrs Collis Queue lo0 8232 loopback localhost 251726967 0 251726967 0 0 0 bge0 1500 sbepskcv sbepskcv 1607581016 280 1645158342 0 0 0 bge1 1500 sbepskcv-bge1 sbepskcv-bge1 2920250 3355944 0 0 0 * seems we can optimize a bit tcp time-to-live connections because I see hundreds connections in status CLOSE_WAIT FIN_WAIT_2 TIME_WAIT * this is a command I see on the net but to be honnest I do not understand the output of such a command # netstat -k inode_cache inode_cache: size 157855 maxsize 128252 hits 573916370 misses
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. For the access controls there are a number of ways they can trigger authentication popups. %LOGIN passed to external helper, proxy_auth REQUIRED acl, and an auth ACL being last on an http_access line. Also, interception setups hacked with bad flags to (wrongly) permit auth can appear working but cause popups on every object request and also leak clients credentials to all remote sites that use auth. Amos
