Re: [squid-users] Connection error

Sun, 16 Jan 2011 20:28:43 -0800 

Thank you Amos, this helps us lot.
Amos Jeffries wrote:

On 15/01/11 07:35, Senthilkumar wrote:

Hi All,

I am using Squid Cache: Version 3.1.8, configured NTLM scheme using
samba, CLAM Av + ICAP and Squid guard.
All of the clients are Windows machine joined in domain. The browser
authenticates using ntlm scheme without pop up for password and
everything working fine.

We have two issues:
1.We are using many acls to allow and deny websites on the basis of the
ADS groups using wbinfo.pl. Time to time the users are reporting that
the authentication pop up occurs .
In cache.log we can find the following

2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 12:27:50| WARNING: 25 pending requests queued
2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 12:56:48| WARNING: 25 pending requests queued
2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 12:57:36| WARNING: 25 pending requests queued
2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy.
2011/01/14 14:00:03| WARNING: 25 pending requests queued
2011/01/14 14:00:06| WARNING: Closing open FD 229
2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy.

We just increased it to 30 for ntlm and 30 for wbinfo(external) still it
occurs. Does ntlm scheme has any new behaviour?
Also, wbinfo has a maximum capacity limit of only ~256 lookups, shared across all helpers AFAIK. When this limit is exceeded the lookups get queued. When queue fills clients are rejected. 


2.When we browse a website and leave browser idle for 30 - 60 minutes ,
cannot display page occurs.


strange.


In squid.conf we have used following values
half_closed_clients off
client_persistent_connections off
server_persistent_connections off
Whether squid has this as default behaviour?, suggest s suitable options
in squid conf to overcome it.


Eek!

Firstly, NTLM schemes authenticates a TCP connection, *not* a user.
Secondly, NTLM scheme requires *three* HTTP full requests to be performed to authenticate and fetch an object.
So... without persistent connections your Squid and its client browsers are consuming up to 3x the amount of traffic (and bandwidth) they normally would be. 


Amos

Reply via email to