|
Home > Archive > Squid > April 2004 > [squid-users] NTLM helper performance problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[squid-users] NTLM helper performance problem
|
|
| SXB6300 Mailing 2004-04-29, 6:54 pm |
| Hi everybody,
Here's my problem. We have deployed several squid box in a very large =
environment. Each proxy handles=20
from 1000 to 7000 users, with around 5000 http requests/minute, during =
peak time. Currently, there is no=20
authentication, except on one test proxy which does NTLM authentication =
againts a Windows 2000 AD.
And that's where the problem stands.
On this NTLM proxy, there is nearly 500 users. The authentication works =
correctly during 90% of the time,
but at certain periods (including peak times), the ntlm helpers average =
service time (in cache manager) grows
up to 11000ms and so, the users must wait several seconds before getting =
a page. It lasts only a few minutes
and then all goes back to normal.
I'm currently running squid 2.5 stable5 with samba 3.0.3rc1 on a RH9 =
with a 2.4.26 kernel. I have tried all squid
2.5 versions (I recompile it as soon as patches concerning NTLM go out =
), and samba 3.x version with no
evolution (I was also running the RH 2.4.20-8 kernel previously). =
Concerning the software configuration, I have=20
tried with/without challenge reuse (to limit authentication requests =
against the controller) in squid. I also
increased winbind cache time, but with no better results.
At this point, I don't really know what else I could try. We need to =
deploy NTLM on each squid box for=20
administrative reason, but this is clearly not possible seeing the =
problems we encounter on the only NTLM
proxy. If someone could help me...=20
Sorry for posting such a long message but this was to clearly explain =
the problem. Thx in advance.
Pierre-Emmanuel
| |
| Henrik Nordstrom 2004-04-29, 6:54 pm |
| On Fri, 23 Apr 2004, SXB6300 Mailing wrote:
> On this NTLM proxy, there is nearly 500 users. The authentication works correctly during 90% of the time,
> but at certain periods (including peak times), the ntlm helpers average service time (in cache manager) grows
> up to 11000ms and so, the users must wait several seconds before getting a page. It lasts only a few minutes
> and then all goes back to normal.
Is there any sign of disturbance if you ping the domain controllers?
Does wbinfo and friends show any signs if problems when this happens?
It is most likely a problem in winbind or in the communication to your
domain controllers.
Regards
Henrik
| |
| SXB6300 Mailing 2004-04-29, 6:54 pm |
| I will check the ping time of the domain controller during the disturbed =
time
(normally in a few hours). From the beginning I have thought of the =
problem coming
from the DC. First, we had a DC that was really busy (Windows AD serving =
for=20
the Exchange servers and a lot of other things). But I set up a DC just =
for the
NTLM proxy to be sure that the problem wasn't coming from it.=20
But you're right, I need to go further in that way. But I have already =
remarked that
I often have, during these peak times, a timeout when contacting the DC =
(in winbind=20
log). Concerning the tests with "wbinfo and friends", what should I look =
for?=20
wbinfo -t, ... ?
Just another question : do you recommand using challenge reuse or not? =
Because I was
thinking of it as a way to limit the communication with the DC...
Whatever, thx for your answers.
Regards,
Pierre-Emmanuel
-----Message d'origine-----
De : Henrik Nordstrom [mailto:hno@squid-cache.org]
Envoy=E9 : vendredi 23 avril 2004 21:38
=C0 : SXB6300 Mailing
Cc : squid-users@squid-cache.org
Objet : Re: [squid-users] NTLM helper performance problem
On Fri, 23 Apr 2004, SXB6300 Mailing wrote:
> On this NTLM proxy, there is nearly 500 users. The authentication =
works correctly during 90% of the time,
> but at certain periods (including peak times), the ntlm helpers =
average service time (in cache manager) grows
> up to 11000ms and so, the users must wait several seconds before =
getting a page. It lasts only a few minutes
> and then all goes back to normal.
Is there any sign of disturbance if you ping the domain controllers?
Does wbinfo and friends show any signs if problems when this happens?
It is most likely a problem in winbind or in the communication to your
domain controllers.
Regards
Henrik
| |
| Henrik Nordstrom 2004-04-29, 6:54 pm |
| On Mon, 26 Apr 2004, SXB6300 Mailing wrote:
> Just another question : do you recommand using challenge reuse or not? Because I was
> thinking of it as a way to limit the communication with the DC...
I don't recommend challenge reuse, but if you have a small number of users
and a very busy DC then it may help some.. For larger setups it in my
opinion just makes the load to random to predict in a reasonable manner.
But you are welcome to give it a try if you like. But you still need a
relatively high number of helpers. There is a lot to improve on to make
challenge reuses really working the way they should.
There is also the issue with a temporary memory leak in reused challenges
(see known issues).
In future challenge reuse will be phased out even further in favor for
full NTLMSSP negotiation alloving proper NTLMv2 and NTLM2 operation where
challenge reuse is not an option.
Note: Until HTTP/1.1 is supported by Squid NTLM performance will be poor
at best due to the nature of NTLM.
Regards
Henrik
| |
| SXB6300 Mailing 2004-04-29, 6:54 pm |
| I'm completely convinced of the performance lost using NTLM =
authentication, but
if I'm right, it's the only way to do a transparent authentication for a =
client=20
using IE. That's why I'm trying it...
I'm actually testing a new conf without challenge reuse, but I got no =
"luck" today,
no peak time until now. I'll post results as soon as I get some.
As NTLMv2 is supported since samba 3.0.2 (I think), is there a way to do =
NTLMv2
authentication in squid (I've heard of a registry key to modify in =
Windows for the
client side)? To see if it may change something...
Regards,
Pierre-Emmanuel
-----Message d'origine-----
De : Henrik Nordstrom [mailto:hno@squid-cache.org]
Envoy=E9 : lundi 26 avril 2004 14:32
=C0 : SXB6300 Mailing
Cc : squid-users@squid-cache.org
Objet : RE: [squid-users] NTLM helper performance problem
On Mon, 26 Apr 2004, SXB6300 Mailing wrote:
> Just another question : do you recommand using challenge reuse or not? =
Because I was
> thinking of it as a way to limit the communication with the DC...
I don't recommend challenge reuse, but if you have a small number of =
users
and a very busy DC then it may help some.. For larger setups it in my
opinion just makes the load to random to predict in a reasonable manner. =
But you are welcome to give it a try if you like. But you still need a=20
relatively high number of helpers. There is a lot to improve on to make=20
challenge reuses really working the way they should.
There is also the issue with a temporary memory leak in reused =
challenges
(see known issues).
In future challenge reuse will be phased out even further in favor for=20
full NTLMSSP negotiation alloving proper NTLMv2 and NTLM2 operation =
where=20
challenge reuse is not an option.
Note: Until HTTP/1.1 is supported by Squid NTLM performance will be poor
at best due to the nature of NTLM.=20
Regards
Henrik
| |
| Henrik Nordstrom 2004-04-29, 6:54 pm |
| On Mon, 26 Apr 2004, SXB6300 Mailing wrote:
> I'm actually testing a new conf without challenge reuse, but I got no "luck" today,
> no peak time until now. I'll post results as soon as I get some.
> As NTLMv2 is supported since samba 3.0.2 (I think), is there a way to do NTLMv2
> authentication in squid (I've heard of a registry key to modify in Windows for the
> client side)? To see if it may change something...
See the 2.5.STABLE5 releae notes.
challenge-reuse will be automatically disabled when negotiation support is
added to your squid.conf.
Regards
Henrik
| |
| SXB6300 Mailing 2004-04-29, 6:55 pm |
| Thx, as I always keep my old configuration file, I hadn't seen this =
option.
I have modified my squid.conf and smb.conf to ensure NTLM v2 =
authentication.
It's up for a few minutes now ; I'm just waiting to see what's gonna =
happen.
Thx again.
Pierre-Emmanuel
-----Message d'origine-----
De : Henrik Nordstrom [mailto:hno@squid-cache.org]
Envoy=E9 : lundi 26 avril 2004 17:50
=C0 : SXB6300 Mailing
Cc : Henrik Nordstrom; squid-users@squid-cache.org
Objet : RE: [squid-users] NTLM helper performance problem
On Mon, 26 Apr 2004, SXB6300 Mailing wrote:
> I'm actually testing a new conf without challenge reuse, but I got no =
"luck" today,
> no peak time until now. I'll post results as soon as I get some.
> As NTLMv2 is supported since samba 3.0.2 (I think), is there a way to =
do NTLMv2
> authentication in squid (I've heard of a registry key to modify in =
Windows for the
> client side)? To see if it may change something...
See the 2.5.STABLE5 releae notes.
challenge-reuse will be automatically disabled when negotiation support =
is=20
added to your squid.conf.
Regards
Henrik
|
|
|
|
|