Re: [squid-users] squid_kerb_auth High CPU load.

From: Simon Dwyer <mail_at_simmyd.net>
Date: Thu, 19 Apr 2012 10:40:01 +1000

On Thu, 2012-04-19 at 12:15 +1200, Amos Jeffries wrote:
> On 19.04.2012 10:44, Simon Dwyer wrote:
> > Hi all,
> >
> > I have got kerberos working and moved it to production but then the
> > server started smashing its cpu. It seems that the squid_kerb_auth
> > processes are killing the cpu.
> >
> > I have the following in my config.
> >
> > /etc/sysconfig/squid/
> >
> > KRB5RCACHETYPE=none
> > export KRB5RCACHETYPE
> >
> > /etc/squid/squid.conf
> >
> > auth_param negotiate program /usr/bin/negotiate_wrapper
> > --kerberos /usr/lib64/squid/squid_kerb_auth -i -r -s GSS_C_NO_NAME
> > --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> > --domain=DOMAIN.EXAMPLE
> > auth_param negotiate children 30
>
> Note that this is 30 wrapper helpers + 30 Kerberos helpers + 30 NTLM
> helpers.
>
>
> > auth_param negotiate keep_alive on
> >
> > From what i have read the first part should fix the high cpu issue
> > but
> > it doesnt seem to help.
> >
> > More the case i am having trouble getting that variable active.
> >
> > Anyone else come up on this?
> >
> > Simon
>
>
> Any hint of what the little details such as...
>
> What version of Squid and squid_kerb_auth are you using?
squid 3.1.10
squid_kerb_auth-1.0.7

>
> Are your client actually using Negotiate/Kerberos? or just sending
> Negotiate/NTLM, which is no benefit over plain old NTLM.
>
I am using negotiate_wrapper and can see it being authenticated with
squid_kerb_auth.

> Do you have client_persistent_connections and
> server_persistent_connections both enabled?
>

i do not have these in my config as i assumed they were on by default?

> How are you using authentication in your config access controls? order
> is important, any requests you can reject quickly without even doing
> authentication helps.

I am only using authentication in my config once to make sure they are
authenticated and thats it.

Thanks Amos
>
> Amos
Received on Thu Apr 19 2012 - 00:40:11 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 19 2012 - 12:00:03 MDT