Ubuntu
squid package

ntlm authentication hangs when Win client connects with many Chrome tabs opened at once

Asked by Konstantin G

Ubuntu 16.04.3 64bit LTS squid 3.5 proxy server problem:

ntlm_auth helpers began infinitely storming Windows Server 2008R2 AD DC with SMB auth requests, when one or two Windows users starts their Chrome browser with a lot of tabs opened at once (there may be 30 to 70 tabs). Meanwhile, existing or new client's browsers freezes opening web pages completely. Packet dump didn't show any difference except requests rate between normal behavior and auth request storm. CPU load didn't show any anomalies. Debug entries in cache.log didn't show any errors or difference with normal behavior except requests rate.

killall ntlm_auth sometimes help, sometimes not, more oftenly helps systemctl restart squid.

I increased helpers count up to 200 200 300 (start, idle, maximum). Problem not gone completely, but become rare. Is that problem with ntlm_auth helper itself or with too low helpers count? What could be done to solve?

Windows clients - Windows 8.1 64 bit, Chrome version - 60, Squid version: 3.5.12-1ubuntu7.4, Samba server version - 2:4.3.11+dfsg-0ubuntu0.16.04.9. All updates on ubuntu server are installed.

root@proxy05:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
Auth config from squid.conf:

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
        --kerberos /usr/lib/squid/negotiate_kerberos_auth -i -r -d \
        -s "<email address hidden>" \
        -s GSS_C_NO_NAME \
        --ntlm /usr/bin/ntlm_auth \
        --helper-protocol=squid-2.5-ntlmssp \
        --domain=HQ \
        -s GSS_C_NO_NAME
auth_param negotiate children 40 startup=5 idle=10
auth_param negotiate keep_alive on

auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -P -R \
        -b "dc=hq,dc=verita,dc=local" \
        -D "<email address hidden>" \
        -W /etc/squid/ldappass.conf \
        -f "sAMAccountName=%s" -h dc01.hq.verita.local
auth_param basic children 30
auth_param basic realm "proxy05 SQUID Proxy Server Basic authentication!"
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 8 hour
authenticate_ttl 4 hour

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu squid Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.