RE: [squid-users] Re: Re: Tweaking squid_kerb_auth

On Tue, 28 Sep 2010 15:13:56 +0100, Nick Cairncross
<Nick.Cairncross_at_condenast.co.uk> wrote:
> _______________________________________
> From: Markus Moeller [huaraz_at_moeller.plus.com]
> Sent: 27 September 2010 20:41
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Re: Tweaking squid_kerb_auth
>
>>
>>"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
>>news:C8C638C1.11799%nick.cairncross_at_condenast.co.uk...
>>>
>>>Hi Nick,
>>>
>>> The only tweaking which might be required is for MIT based libraries
on
>>>a
>>>high load system to disable the replay cache by setting
>>>
>>> KRB5RCACHETYPE=none
>>> export KRB5RCACHETYPE
>>>
>>>Markus
>>>
>>>
>>>"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
>>>news:C8B7B33A.F61B%nick.cairncross_at_condenast.co.uk...
>>>Hi,
>>>
>>>Running Kerberos auth ok for a while now and I wanted to look at
>>>possibilities of tweaking/optimising it.
>>>
>>>Current helper conf:
>>>auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s
>>>GSS_C_NO_NAME
>>>auth_param negotiate children 10
>>>auth_param negotiate keep_alive on
>>>
>>>400 or so AD users. Squid 3 STABLE 20 at the moment. Not caching, just
>>>authenticate and go.
>>>
>>>What are the lists experiences of increasing children? Resources are
not
>>>a
>>>problem as the machine is VM and I can always grant more.
>>>
>>>I remember reading something about Kerberos specific option(s) for
squid
>>>­
>>>something to do with re-using tickets but can't remember.could anyone
>>>shed
>>>some light on it (and their experiences).
>>>
>>>I will be looking at moving to 3.1. Have the extra startup and idle
>>>helped
>>>you etc? Have you got any recommendations you have found have helped?

They do here, but are only added with Squid-3.2.

>>>
>>>I'm interested to hear your experiences/suggestions.
>>>
>>>Thanks,
>>>Nick
>>
>>Hi Markus,
>>Thanks for your input - I wondered something: I know this question
depends
>>on my AD infrastructure but how many requests/ps can the 10 Kerberos
>>children optimally handle? Could I increase it to increase the Kerberos
>>availability - say to 20 children? Or is that a bad idea?
>>
>
> I don't know the effect of increasing the number of children. I assume
it
> is possible to get statistics about how many children are used and how
> often, but the experts have to answers this.

NTLM children is limited severely by Winbind internal limits.

Kerberos does not have these limits so should be able to run as many
children as you need. As others have said 10 is very few for the number of
users.

With the 70% of your users were Kerberos logins. After accounting for the
NTLM handshake overheads I would expect around the same number of Kerberos
children as NTLM ones.

Amos
Received on Wed Sep 29 2010 - 00:54:46 MDT