Hi,

TBH I haven't had yet a chance to do performance testing of my helper. What you are seeing is the Kerberos replay protection cache. HTTP is the part of the service principal and 501 is the uid of the process. Depending on the request/sec it can be quite a bit as each request will be authenticated. If I find time I will check which part of the helper is creating the load.

Regards
Markus

"J.J." <jayjay...@gmx.de> wrote in message news:20090624140826.52...@gmx.net...
hi Everybody!

i have a problem with authentication helper squid_kerb_auth.
It's consuming too much CPU. 15 min Load average from the squid server is about 5, 5 min average peaks upto 13, see top output

top - 13:48:13 up 15:45,  5 users,  load average: 8.23, 6.21, 4.85
Tasks: 175 total,   2 running, 173 sleeping,   0 stopped,   0 zombie
Cpu(s): 11.0%us, 25.6%sy, 0.0%ni, 45.6%id, 16.3%wa, 0.2%hi, 1.3%si, 0.0%st
Mem:   2073876k total,  2020008k used,    53868k free,   251548k buffers
Swap:  2031608k total,      640k used,  2030968k free,  1029856k cached

The Cache serves about 350 Users, OS is Fedora 10.

From stracing a helper process i saw its opening/writing/reading from and to "/var/tmp/HTTP_501" , which is a 150-200k file, growing and shrinking all the time, containing all the Usernames a few times.

Kerberos as itself works as intended. I already changed number of helper childs, did not help.

I found no suspicious alerts in the cache log or other system logs, just high CPU Usage.

Does anybody know if this behaviour is OK, or how to debug it?

This HTTP_501 file, which contains every Username more than redundant, also makes me curious, as HTTP 501 is error code for "not implemented"

Anybody with Kerberos Config here that can help me with this?

Thanks!

Regards

jay


---krb5.conf

[logging]
default = SYSLOG:VERBOSE:USER

[libdefaults]
default_realm = XXXX
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = FILE:/etc/krb5.keytab
clockskew = 300

...

[appdefaults]
pam =
{
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01



Reply via email to