Hello, Andre,
Your logs say:
> winbindd: Exceeding 500 client connections, no idle connection found
So In addition to Francesco's suggestion, you can try to increase the
"winbind max clients" parameter in your smb.conf
Your squid.conf record:
auth_param ntlm children 500 startup=5 idle=1
limits the number of ntlm-helpers, but in the SMP squid configuration this
value is multiplied by the number of workers (although I did not notice the
activation of multiprocessing support in your squid configuration).
Kind regards,
Andrey
ср, 24 июл. 2024 г. в 21:57, Francesco Chemolli <gkin...@gmail.com>:
> Hi Andre,
>
> The chain of services here is:
>
> browser <-> squid <-> ntlm_auth <-> winbindd <-> active directory
>
> In order to bisect the problem, could you try using `wbinfo -a` on one
> of the affected machiens to authenticate against Active Directory and
> see if the performance is on the winbindd <-> AD side of the equation
> on on the squid <-> ntlm_auth side?
>
> On Wed, Jul 24, 2024 at 7:27 PM Andre Bolinhas
> <andre.bolin...@articatech.com> wrote:
> >
> > Hi Team.
> >
> > I'm using SQUID 5.9 + windbindd 4.9.5, the authentication method is NTLM.
> >
> > Every day, around 5pm, the internet speed becomes very slow, with users
> reporting that websites takes too long to open.
> >
> > Also, the time that the issue occur is very strange, since is when most
> of the users are not in the office anymore
> >
> > By doing a deep analyze on Proxy server, I manage to find this error
> that could be related with this issue.
> >
> > Cache.log
> > GENSEC login failed: NT_STATUS_LOGON_FAILURE
> > GENSEC login failed: NT_STATUS_LOGON_FAILURE
> > GENSEC login failed: NT_STATUS_LOGON_FAILURE
> > GENSEC login failed: NT_STATUS_LOGON_FAILURE
> >
> > Windbindd.log
> > [2024/07/22 17:06:48.220216, 2]
> ../source3/winbindd/winbindd.c:1121(remove_client)
> > final write to client failed: Broken pipe
> > [2024/07/22 17:06:48.220319, 0]
> ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> > winbindd: Exceeding 500 client connections, no idle connection found
> > [2024/07/22 17:06:48.261482, 0]
> ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> > winbindd: Exceeding 500 client connections, no idle connection found
> > [2024/07/22 17:06:48.261857, 2]
> ../source3/winbindd/winbindd.c:1121(remove_client)
> > final write to client failed: Broken pipe
> > [2024/07/22 17:06:48.261926, 0]
> ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> > winbindd: Exceeding 500 client connections, no idle connection found
> > [2024/07/22 17:06:48.276216, 0]
> ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> > winbindd: Exceeding 500 client connections, no idle connection found
> > [2024/07/22 17:06:48.276507, 2]
> ../source3/winbindd/winbindd.c:1121(remove_client)
> > final write to client failed: Broken pipe
> > [2024/07/22 17:06:48.276568, 0]
> ../source3/winbindd/winbindd.c:1246(winbindd_listen_fde_handler)
> > winbindd: Exceeding 500 client connections, no idle connection found
> > [2024/07/22 17:09:02.512093, 1]
> ../source4/lib/messaging/messaging.c:83(ping_message)
> > INFO: Received PING message from server 10301 []
> > [2024/07/22 17:09:02.512159, 1]
> ../source3/lib/messages.c:131(ping_message)
> > INFO: Received PING message from PID 10301 []
> > [2024/07/22 17:11:27.979681, 1]
> ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
> > trustdom_list_done: Could not receive trusts for domain BANK
> > [2024/07/22 17:11:27.979756, 1]
> ../source3/winbindd/winbindd_util.c:440(trustdom_list_done)
> > trustdom_list_done: Could not receive trusts for domain HLGROUP
> > [2024/07/22 17:12:02.612725, 1]
> ../source4/lib/messaging/messaging.c:83(ping_message)
> > INFO: Received PING message from server 4706 []
> > [2024/07/22 17:12:02.612794, 1]
> ../source3/lib/messages.c:131(ping_message)
> > INFO: Received PING message from PID 4706 []
> > [2024/07/22 17:15:03.307322, 1]
> ../source4/lib/messaging/messaging.c:83(ping_message)
> > INFO: Received PING message from server 13541 []
> > [2024/07/22 17:15:03.307477, 1]
> ../source3/lib/messages.c:131(ping_message)
> > INFO: Received PING message from PID 13541 []
> > [2024/07/22 17:18:02.603927, 1]
> ../source4/lib/messaging/messaging.c:83(ping_message)
> > INFO: Received PING message from server 27640 []
> > [2024/07/22 17:18:02.603983, 1]
> ../source3/lib/messages.c:131(ping_message)
> > INFO: Received PING message from PID 27640 []
> >
> > smb.conf
> > [global]
> > netbios name = ASP02
> > log level = 2
> > workgroup = mydom
> > kerberos method = dedicated keytab
> > dedicated keytab file = /etc/krb5.keytab
> > realm = mydom.MY
> > password server = 10.150.1.62
> > security = ads
> > winbind enum groups = No
> > winbind enum users = No
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config mydom:backend = ad
> > idmap config mydom:schema_mode = rfc2307
> > idmap config mydom:range = 10000-999999
> > idmap config mydom:unix_nss_info = yes
> > tls enabled = yes
> > ldap ssl = start tls
> > tls keyfile = tls/key.pem
> > tls certfile = tls/cert.pem
> > tls cafile = tls/ca.pem
> > client ldap sasl wrapping = plain
> > client ntlmv2 auth = Yes
> > client lanman auth = No
> > client ldap sasl wrapping = sign
> > winbind normalize names = No
> > winbind separator = /
> > winbind use default domain = yes
> > winbind nested groups = Yes
> > winbind reconnect delay = 30
> > winbind offline logon = true
> > winbind cache time = 1800
> > winbind refresh tickets = true
> > winbind refresh tickets = true
> > winbind max clients = 500
> > allow trusted domains = Yes
> > server signing = auto
> > client signing = auto
> > lm announce = No
> > ntlm auth = No
> > lanman auth = No
> > preferred master = No
> > local master = No
> > wins support = No
> > encrypt passwords = yes
> > printing = bsd
> > load printers = no
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > min protocol = SMB2
> > client min protocol = SMB2
> > client max protocol = SMB3
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > Squid.conf
> >
> > # kerberos_conf() LockActiveDirectoryToKerberos = 0
> >
> > #
> > #KerbAuthMethod = 0/1 and NOT_NTLM = False
> > auth_param ntlm program /usr/bin/ntlm_auth --domain=mydom.MY
> --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 500 startup=5 idle=1 concurrency=0
> queue-size=2000 on-persistent-overload=ERR
> > auth_param ntlm keep_alive off
> >
> > #
> > # ads groups OK
> > #Other settings
> > auth_param basic credentialsttl 7200 seconds
> > authenticate_ttl 3600 seconds
> > authenticate_ip_ttl 1 seconds
> > authenticate_cache_garbage_interval 3600 seconds
> >
> > acl authFailed src all
> > acl AUTHENTICATED proxy_auth REQUIRED
> > # END NTLM Parameters --------------------------------
> > # Basic authentication for other browser that did not supports NTLM
> > auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> > auth_param basic children 60 startup=2 idle=1
> > auth_param basic realm Active Directory Basic Identification
> > auth_param basic credentialsttl 7200 seconds
> > authenticate_ttl 3600 seconds
> > authenticate_ip_ttl 1 seconds
> > authenticate_cache_garbage_interval 3600 seconds
> >
> > # ldap_auth_ad() EnableAdLDAPAuth = 0 - SKIP
> >
> > # ads groups OK
> >
> >
> >
> > # --------------------------------------------------
> >
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
>
>
>
> --
> Francesco
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
