[Samba] winbindd: Exceeding 200 client connections,
no idle connection found
Jason Haar
Jason.Haar at trimble.co.nz
Sun Apr 13 02:57:18 GMT 2008
Elvar wrote:
>
> Yes, Squid comes with it's own NTLM AUTH mechanism but it does not
> support the --require-membership option which allows me to force users
> to be a part of a specific "internet access" group. That's why I'm
> using winbindd.
>
This isn't the trusted domain issue that showed up about a month ago is
it? i.e do you have trusted domains where their domain controllers are
some distance away over a WAN link?
You don't mention it explicitly, but I'm guessing you're using NTLM
proxy authentication? As such it means Squid (and winbind for that
matter) cannot cache any of the authentication requests - they all must
go through to the backend domain controllers. And if they are remote (ie
high latency compared with LAN-connected DCs), Squid and winbind will
spend more and more resources tracking outstanding authentication
requests. e.g. a single Web page may contain 10+ images - that's 11 auth
attempts - and with NTLM that means 33 HTTP transactions - for one Web
page! If you have just a handful of users from remote domains, they will
swallow a disproportionate amount of your authentication resources.
There's a bit of HTTP/1.1 Keepalive reuse that speeds things up - but
effectively it's a cow.
If you can stomach the lack of encryption, go back to Basic proxy
authentication - squid can cache the hell out of that! I bet you'll find
all your problems disappear.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list