Thank you Amos, this helps us lot.
Amos Jeffries wrote:
> On 15/01/11 07:35, Senthilkumar wrote:
>> Hi All,
>>
>> I am using Squid Cache: Version 3.1.8, configured NTLM scheme using
>> samba, CLAM Av + ICAP and Squid guard.
>> All of the clients are Windows machine joined in domain. The browser
>> authenticates using ntlm scheme without pop up for password and
>> everything working fine.
>>
>> We have two issues:
>> 1.We are using many acls to allow and deny websites on the basis of the
>> ADS groups using wbinfo.pl. Time to time the users are reporting that
>> the authentication pop up occurs .
>> In cache.log we can find the following
>>
>> 2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 12:27:50| WARNING: 25 pending requests queued
>> 2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 12:56:48| WARNING: 25 pending requests queued
>> 2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 12:57:36| WARNING: 25 pending requests queued
>> 2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy.
>> 2011/01/14 14:00:03| WARNING: 25 pending requests queued
>> 2011/01/14 14:00:06| WARNING: Closing open FD 229
>> 2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy.
>>
>> We just increased it to 30 for ntlm and 30 for wbinfo(external) still it
>> occurs. Does ntlm scheme has any new behaviour?
>>
>
> Also, wbinfo has a maximum capacity limit of only ~256 lookups, shared
> across all helpers AFAIK. When this limit is exceeded the lookups get
> queued. When queue fills clients are rejected.
>
>> 2.When we browse a website and leave browser idle for 30 - 60 minutes ,
>> cannot display page occurs.
>
> strange.
>
>> In squid.conf we have used following values
>> half_closed_clients off
>> client_persistent_connections off
>> server_persistent_connections off
>> Whether squid has this as default behaviour?, suggest s suitable options
>> in squid conf to overcome it.
>
> Eek!
>
> Firstly, NTLM schemes authenticates a TCP connection, *not* a user.
>
> Secondly, NTLM scheme requires *three* HTTP full requests to be
> performed to authenticate and fetch an object.
>
> So... without persistent connections your Squid and its client
> browsers are consuming up to 3x the amount of traffic (and bandwidth)
> they normally would be.
>
>
> Amos
Received on Mon Jan 17 2011 - 04:28:41 MST
This archive was generated by hypermail 2.2.0 : Mon Jan 17 2011 - 12:00:03 MST