ntlm authentication hangs when Win client connects with many Chrome tabs opened at once
Ubuntu 16.04.3 64bit LTS squid 3.5 proxy server problem:
ntlm_auth helpers began infinitely storming Windows Server 2008R2 AD DC with SMB auth requests, when one or two Windows users starts their Chrome browser with a lot of tabs opened at once (there may be 30 to 70 tabs). Meanwhile, existing or new client's browsers freezes opening web pages completely. Packet dump didn't show any difference except requests rate between normal behavior and auth request storm. CPU load didn't show any anomalies. Debug entries in cache.log didn't show any errors or difference with normal behavior except requests rate.
killall ntlm_auth sometimes help, sometimes not, more oftenly helps systemctl restart squid.
I increased helpers count up to 200 200 300 (start, idle, maximum). Problem not gone completely, but become rare. Is that problem with ntlm_auth helper itself or with too low helpers count? What could be done to solve?
Windows clients - Windows 8.1 64 bit, Chrome version - 60, Squid version: 3.5.12-1ubuntu7.4, Samba server version - 2:4.3.11+
root@proxy05:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
Auth config from squid.conf:
auth_param negotiate program /usr/lib/
--kerberos /usr/lib/
-s "<email address hidden>" \
-s GSS_C_NO_NAME \
--ntlm /usr/bin/ntlm_auth \
--domain=HQ \
-s GSS_C_NO_NAME
auth_param negotiate children 40 startup=5 idle=10
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/
-b "dc=hq,
-D "<email address hidden>" \
-W /etc/squid/
-f "sAMAccountName=%s" -h dc01.hq.
auth_param basic children 30
auth_param basic realm "proxy05 SQUID Proxy Server Basic authentication!"
auth_param basic credentialsttl 2 hours
authenticate_
authenticate_ttl 4 hour
Question information
- Language:
- English Edit question
- Status:
- Expired
- For:
- Ubuntu squid Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply: