Have you considered https://wiki.squid-cache.org/Features/HelperMultiplexer ? If I remember correctly, it can start new helpers on demand up to a configured maximum.
@mobile On Fri, 26 Jul 2024 at 8:23 AM, Andrey K <ankor2...@gmail.com> wrote: > Hello, Andre, > > > > How to know if the helper supports concurrent requests? > You are using /usr/bin/ntlm_auth, and, as far as I know, it does not > support concurrency. But I do not know other ntlm-authentication helpers. > > > winbindd: Exceeding 500 client connections, no idle connection found > > I will increase this value to check if help to settle the issue > I think it will only hide the problem. > In my opinion, it is better to follow the Alex's advice and reduce the > number of ntlm-helpers. It should prevent exceeding the maximum winbind > client connections error messages. > The actual number of required ntlm-helpers can be obtained during the > working day. > ps -ef | grep ntlm_auth | grep -v wrapper | grep -v basic | wc -l > You can divide this number by the number of workers and add some spare > ones. > > When the problem appears again, you can follow the advice of Francesco: > > In order to bisect the problem, could you try using `wbinfo -a` on one > > of the affected machiens to authenticate against Active Directory and > >see if the performance is on the winbindd <-> AD side of the equation > > on on the squid <-> ntlm_auth side? > sudo wbinfo -t > sudo wbinfo -a "DOMAIN\username%password" > Kind regards, > Ankor. > > > > > чт, 25 июл. 2024 г. в 17:43, Andre Bolinhas <andre.bolin...@articatech.com > >: > >> Hi >> We have 5 squid workers, we need to handle around 8k concurrent users. >> >> Based on this, what's the auth_param values that you recommend for >> children, idle and startup? >> How to know if the helper supports concurrent requests? >> >> winbindd: Exceeding 500 client connections, no idle connection found >> >> I will increase this value to check if help to settle the issue >> >> >> On 25/07/2024 14:28, Alex Rousskov wrote: >> >> On 2024-07-23 19:20, Andre Bolinhas wrote: >> >> winbindd: Exceeding 500 client connections, no idle connection found >> >> >> auth_param ntlm children 500 ... >> >> >> I know virtually nothing about WINDBIND and the authentication helper you >> are using, but configuring Squid to have 500 helper processes is usually a >> mistake, even with a single Squid worker. YMMV, but I would try to use a >> lot fewer helpers (e.g., 10) and increase that number only if such an >> increase actually improves things. >> >> If possible, use a helper that supports concurrent requests. >> >> If your Squid is not competing for resources with other applications on >> the server, then I also recommend keeping a _constant_ number of helper >> processes (instead of asking Squid to start many new helper processes at >> the worse possible time -- when the load on Squid increases). To do that, >> make startup and idle parameters the same as the maximum number of >> children. >> >> >> HTH, >> >> Alex. >> P.S. The credit for highlighting the correlation between winbindd errors >> and "auth_param ntlm children 500" goes to Andrey K. >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> https://lists.squid-cache.org/listinfo/squid-users >> >>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
