[squid-users] NTLM auth popup boxes && Solaris 8 tuning for upgrade into 2.7.4

From: <vincent.blondel_at_ing.be>
Date: Wed, 12 Nov 2008 14:01:42 +0100

hello all,

I currently get some sun v210 boxes running solaris 8 and squid-2.6.12
and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next
monday but before doing this I would like to ask you your advices and/or
experiences with tuning these kind of boxes.

the service is running well today except we regularly get authentication
popup boxes. This is really exasperating our Users. I already spent lot
of times on the net in the hope finding a clear explanation about it but
i am still searching. I already configured starting 128 ntlm_auth
processes on each of my servers. This gives better results but problem
still remains. I also made some patching in my new package I will deploy
next week by overwrting some samba values .. below my little patch ..

--- samba-3.0.32.orig/source/include/local.h 2008-08-25
23:09:21.000000000 +0200
+++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000
+0200
@@ -222,7 +222,7 @@
 #define WINBIND_SERVER_MUTEX_WAIT_TIME ((
((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2)

 /* Max number of simultaneous winbindd socket connections. */
-#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200
+#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024

 /* Buffer size to use when printing backtraces */
 #define BACKTRACE_STACK_SIZE 64

I currently do not use 'auth_param ntlm keep_alive on' because I do not
know if it will not cause some side effects for web browser used in our
company (ie/windows xp sp2).

I already use some parameters today like these ones below ...

set shmsys:shminfo_shmseg=16
set shmsys:shminfo_shmmni=32
set shmsys:shminfo_shmmax=2097152
set msgsys:msginfo_msgmni=40
set msgsys:msginfo_msgmax=2048
set msgsys:msginfo_msgmnb=8192
set msgsys:msginfo_msgssz=64
set msgsys:msginfo_msgtql=2048
set rlim_fd_max=8192

arp_cleanup_interval=60000
ip_forward_directed_broadcasts=0
ip_forward_src_routed=0
ip6_forward_src_routed=0
ip_ignore_redirect=1
ip6_ignore_redirect=1
ip_ire_flush_interval=60000
ip_ire_arp_interval=60000
ip_respond_to_address_mask_broadcast=0
ip_respond_to_echo_broadcast=0
ip6_respond_to_echo_multicast=0
ip_respond_to_timestamp=0
ip_respond_to_timestamp_broadcast=0
ip_send_redirects=0
ip6_send_redirects=0
ip_strict_dst_multihoming=1
ip6_strict_dst_multihoming=1
ip_def_ttl=255
tcp_conn_req_max_q0=4096
tcp_conn_req_max_q=1024
tcp_rev_src_routes=0
tcp_extra_priv_ports_add="6112"
udp_extra_priv_ports_add=""
tcp_smallest_anon_port=32768
tcp_largest_anon_port=65535
udp_smallest_anon_port=32768
udp_largest_anon_port=65535
tcp_smallest_nonpriv_port=1024
udp_smallest_nonpriv_port=1024

after some investigations on my servers, I notice we often get lots of
connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of
connections in status ESTABLISHED. If I have a look on squid statistics
these are some files giving an idea on the load handled by our machines
..

SUNW,Sun-Fire-V210
2048 Memory size
bge0 100-fdx (or) 1000-fdx
client_http.requests = 242/sec
server.http.requests = 163/sec
Number of clients accessing cache: 1486
cpu_usage = 45.065136%
/dev/dsk/c0t0d0s5 20655529 15015444 5433530 74% /var/cache0
/dev/dsk/c0t1d0s5 20655529 14971972 5477002 74% /var/cache1
1746418 Store Entries
(some) 1265 ESTABLISHED tcp connections (at high load)
(some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections

so these servers are relatively heavy loaded and this is the reason why
I think I still can tune some tcp/udp values in order to optimize and
reduce the cpu usage on my servers. I already found some ideas on the
net like these values below but this is not guraranteed ..

ndd -set /dev/tcp tcp_time_wait_interval 60000
ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500
ndd -set /dev/tcp tcp_keepalive_interval 15000

many thks to help me because we are really in trouble and I am sure we
can solve these little problems by setting/tuning some parameters.

vincent.
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Received on Wed Nov 12 2008 - 13:01:56 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 14 2008 - 12:00:03 MST