[squid-users] wbinfo_group_helper queue overload

From: Rodrigo Delgadinho <rdelgas@dont-contact.us>
Date: Mon, 4 Oct 2004 15:25:20 -0300

Hello guys,
        
        I need a help.
        I have a Squid server where the users are acessing the Internet
without authetication, and I have configured the Squid to authenticate
with Active Directory and it is working fine in the Lab environment,
but when I tryed to use during the business time I have some problems
that I guess to be just hardware limitation, but I am not sure about
that and maybe I can get a better configuration than this.

        I have tried to use the follow conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 20 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type wbinfo_group_helper %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
acl proxy_users external wbinfo_group_helper proxy_users

acl users_AD proxy_auth REQUIRED
http_access allow user_AD proxy_users
http_access deny all

        When I use the conf like that I got the follow error message:

 aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected.
 aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected.
 aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected.
 WARNING: All ntlmauthenticator processes are busy.

        and some users could authenticate on the AD but others had problem.
        I incresed the numbers of childrens for the auth_ntlm and
external_acl gradually until the error has gone:
        ( I have about 4000 users).

auth_param ntlm children 50
auth_param basic children 50
external_acl_type wbinfo_group_helper ttl=900 children=125 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl

        The problem after that was that de CPU utilization went to 100%, and
he users got stucked due access performace. The average proccess
number of the server went to 400. I have tryed something to decrease
the CPU utilization, as stripped the header of wbinfo, and took of
logging, but without success.
                I would like to understand de parameters in the line
of external_acl_type. Should I use children command or concurrency ?
What is the diference ? And how ttl parameter works ?
                So, I did a fallback and I wonder if I can solve it
changing my configuration.
        
Thanks in advance for any help.
        
Rodrigo D.
Received on Mon Oct 04 2004 - 12:25:25 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST