[Samba] winbindd: Exceeding 200 client connections, no idle connection found

Jason Haar Jason.Haar at trimble.co.nz
Sun Apr 13 02:57:18 GMT 2008

Elvar wrote:
> Yes, Squid comes with it's own NTLM AUTH mechanism but it does not 
> support the --require-membership option which allows me to force users 
> to be a part of a specific "internet access" group. That's why I'm 
> using winbindd.
This isn't the trusted domain issue that showed up about a month ago is 
it? i.e do you have trusted domains where their domain controllers are 
some distance away over a WAN link?

You don't mention it explicitly, but I'm guessing you're using NTLM 
proxy authentication? As such it means Squid (and winbind for that 
matter) cannot cache any of the authentication requests - they all must 
go through to the backend domain controllers. And if they are remote (ie 
high latency compared with LAN-connected DCs), Squid and winbind will 
spend more and more resources tracking outstanding authentication 
requests. e.g. a single Web page may contain 10+ images - that's 11 auth 
attempts - and with NTLM that means 33 HTTP transactions - for one Web 
page! If you have just a handful of users from remote domains, they will 
swallow a disproportionate amount of your authentication resources. 
There's a bit of HTTP/1.1  Keepalive reuse that speeds things up - but 
effectively it's a cow.

If you can stomach the lack of encryption, go back to Basic proxy 
authentication - squid can cache the hell out of that! I bet you'll find 
all your problems disappear.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list