Hello, Andre,
> How to know if the helper supports concurrent requests? You are using /usr/bin/ntlm_auth, and, as far as I know, it does not support concurrency. But I do not know other ntlm-authentication helpers. > winbindd: Exceeding 500 client connections, no idle connection found > I will increase this value to check if help to settle the issue I think it will only hide the problem. In my opinion, it is better to follow the Alex's advice and reduce the number of ntlm-helpers. It should prevent exceeding the maximum winbind client connections error messages. The actual number of required ntlm-helpers can be obtained during the working day. ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l You can divide this number by the number of workers and add some spare ones. When the problem appears again, you can follow the advice of Francesco: > In order to bisect the problem, could you try using `wbinfo -a` on one > of the affected machiens to authenticate against Active Directory and >see if the performance is on the winbindd <-> AD side of the equation > on on the squid <-> ntlm_auth side? sudo wbinfo -t sudo wbinfo -a "DOMAIN\username%password" Kind regards, Ankor. чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas <[email protected]>: > Hi > We have 5 squid workers, we need to handle around 8k concurrent users. > > Based on this, what's the auth_param values that you recommend for > children, idle and startup? > How to know if the helper supports concurrent requests? > > winbindd: Exceeding 500 client connections, no idle connection found > > I will increase this value to check if help to settle the issue > > > On 25/07/2024 14:28, Alex Rousskov wrote: > > On 2024-07-23 19:20, Andre Bolinhas wrote: > > winbindd: Exceeding 500 client connections, no idle connection found > > > auth_param ntlm children 500 ... > > > I know virtually nothing about WINDBIND and the authentication helper you > are using, but configuring Squid to have 500 helper processes is usually a > mistake, even with a single Squid worker. YMMV, but I would try to use a > lot fewer helpers (e.g., 10) and increase that number only if such an > increase actually improves things. > > If possible, use a helper that supports concurrent requests. > > If your Squid is not competing for resources with other applications on > the server, then I also recommend keeping a _constant_ number of helper > processes (instead of asking Squid to start many new helper processes at > the worse possible time -- when the load on Squid increases). To do that, > make startup and idle parameters the same as the maximum number of > children. > > > HTH, > > Alex. > P.S. The credit for highlighting the correlation between winbindd errors > and "auth_param ntlm children 500" goes to Andrey K. > > _______________________________________________ > squid-users mailing list > [email protected] > https://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
