Re: [squid-users] NTLM authentication testing

From: Adrian Chadd <adrian@dont-contact.us>
Date: Tue, 19 Feb 2008 23:09:06 +0900

G'day,

THanks for this stuff.

Could you possibly try hitting it hard enough to cause Squid to back up
on pending authentications? It'd be good to replicate a "fail" situation;
we can then take that to the samba guys and ask "wtf?"

Adrian

On Tue, Feb 19, 2008, Richard Wall wrote:
> On 2/18/08, Adrian Chadd <adrian@creative.net.au> wrote:
> > Thats basically right - Squid doesn't handle the NTLM itself, it just
> > passes the blob right through. The helper framework can handle hundreds
> > of requests a second without too much thought; I'd like to spend some
> > time figuring out what Samba is doing thats so slow. I thought that winbind
> > was actually handling the NTLM challenge/response stuff itself and caching
> > data rather than passing it upstream to the DC for every request.
> > I haven't yet looked at it, so I can't say for certain that is correct.
>
> I've done some pretty unscientific tests using curl against our Squid box.
> * CPU: Intel(R) Celeron(R) CPU 2.53GHz
> * MemTotal: 2075628 kB
> * Squid2.6 STABLE17 (using epoll)
> * NTLM auth_param ntlm children 100
>
> I've been running multiple curl instances on four clients as follows:
> {{{
>
> for i in {1..100}; do
> while true; do
> curl -x 192.168.1.97:800 \
> --proxy-ntlm \
> --proxy-user "DOMAINNAME\\username:password" \
> --include \
> --silent \
> --header Pragma: http://www.mydomain.com/index.html >/dev/null
> done &
> sleep 1
> done
>
> }}}
>
> According to cachemgr this is generating a load of ~250req/sec.
>
> client_http.requests = 252.175917/sec
> client_http.hits = 126.159625/sec
> client_http.errors = 0.000000/sec
> client_http.kbytes_in = 90.109732/sec
> client_http.kbytes_out = 2735.581866/sec
> client_http.all_median_svc_time = 0.851301 seconds
> client_http.miss_median_svc_time = 0.000911 seconds
> client_http.nm_median_svc_time = 0.000000 seconds
> client_http.nh_median_svc_time = 0.000000 seconds
> client_http.hit_median_svc_time = 0.806511 seconds
>
> First problem is that you have to reinterpret the Squid reported hit
> ratios when using NTLM auth. Only half of these are hits, the other
> half being TCP_DENIED/407 that form part of the NTLM auth negotiation.
>
> Second problem is that the majority of requests seem to result in auth
> requests to the DC. There is an article describing Win2003 performance
> counters showing Number of auth requests / sec, but those counters
> don't seem to exist on my copy.
> * http://support.microsoft.com/kb/928576
>
> Instead I used the difference in a minute of the total number of
> security events (as shown in the titel bar of the windows event
> viewer.
> * ~127 successful auth events per second
> ...which is about the same as the client_http.hits reported by squid.
>
> I have the following setting defined in smb.conf:
> * winbind cache time = 10
> ...which clearly isn't being respected.
>
> * Does anyone else see this behaviour or have you managed to get auth
> requests cached by winbindd?
> * Can winbindd even do caching of auth reqests or is it only
> concerned with caching other domain data?
>
> If anyone has answers, I'd really appreciate to hear from you. I'll
> continue to experiment and will post my findings.
>
> -RichardW.

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Received on Tue Feb 19 2008 - 06:56:10 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST