Hello James, Here is to confirm that after applying this patch, rebuilding Squid 4.6 and deploying it into production of about 700 proxy connected clients using mostly Kerberos authentication followed by NTLM and Basic LDAP the mentioned issue with negotiate wrapper went away. No more pop us from client browsers.
Best regards, Rafael Akchurin Diladele B.V. -- Need easy to manage DNS filter? See our new project at https://dnssafety.io/ From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of James Zuelow Sent: Monday, July 15, 2019 9:11 PM To: 'squid-users@lists.squid-cache.org' Subject: [squid-users] Debian Buster, Squid 4.6-1 amd64, "Too few negotiateauthenticator processes are running" We have a pair of Squid proxies, running as a failover pair with ucarp. Both of these proxies are domain joined with Samba, and we've been using Kerberos authentication for several years. After Debian Buster was released, we upgraded the failover unit and did some basic testing. Everything seemed to go correctly. Unfortunately when we tested, we didn't put the failover under a serious load - we merely made sure each component was working the way we expected it to. We waited a week, and then updated the primary. As soon as the primary was updated and assumed a real load, users started seeing proxy authentication prompts and the proxy started operating very slowly - to the point where sessions would time out. We quickly rolled to the failover, but the problem remained. Since this was a major version upgrade, everything on the server had changed so I had lots of places to look for errors. I did in fact find that my file descriptor settings in limits.conf had reverted back to the default of 1024, but even after fixing this the proxy was slow. I see in the logs many occurrences of "Too few negotiateauthenticator processes are running" - the negotiate authenticators look like they're crashing every 15-45 seconds when the proxy is busy (between 80-100 requests per second at my site). Doing a quick Google, I found this: https://github.com/diladele/websafety-issues/issues/1141 Which refers to this: https://bugs.squid-cache.org/show_bug.cgi?id=4936 The fix referred to in bug 4936 appears to be about a month old. https://tracker.debian.org/pkg/squid implies that the version of squid in Buster is older than that, last merged into testing (now stable) in February. Before I file a Debian bug report, how could I go about confirming the presence of bug 4936 in the current Debian stable version of Squid? Are the dates good enough? Thank you! James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
