Hi Peter
"Nick Cairncross" <nick.cairncr...@condenast.co.uk> wrote in message
news:c9782338.5940f%nick.cairncr...@condenast.co.uk...
On 09/02/2011 09:34, "guest01" <gues...@gmail.com> wrote:
Hi,
We are currently using Squid 3.1.10 on RHEL5.5 and Kerberos
authentication for most of our clients (authorization with an icap
server). At the moment, we are serving approx 8000 users with two
servers. Unfortunately, we have performance troubles with our Kerberos
authentication. Load values are way tooooo high ...
10:19:58 up 16:14, 2 users, load average: 23.03, 32.37, 25.01
10:19:59 up 15:37, 2 users, load average: 58.97, 57.92, 47.73
Peak values have been >70 for the 5min interval. At the moment, there
are approx 400 hits/second (200 per server). We already disabled
caching on harddisk. Avg service time for Kerberos is up to 2500ms
(which is quite long).
Our kerberos configuration looks pretty simple:
#KERBEROS
auth_param negotiate program
/opt/squid/libexec/negotiate_kerberos_auth -s HTTP/fqdn -r
auth_param negotiate children 30
auth_param negotiate keep_alive on
Is there anyway for further caching or something like that?
For testing purposes, we authenticated a certain subnet by IP and load
values decreased to <1. (Unfortunately, this is not possible because
every user gets a policy assigned by its username)
Any ideas anyone? Are there any kerberos related benchmarks available
(could not find any), maybe this issue is not a problem, just a
limitation and we have to add more servers?
Thanks!
best regards
Peter
Peter,
I have pretty much the same setup as you - just 3.1.8, though only 700
users.
Have you disabled the replay cache:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
But beware of a memory leak (depending on your libs of course):
http://squid-web-proxy-cache.1019090.n4.nabble.com/Intermittent-SquidKerbAu
th-Cannot-allocate-memory-td3179036.html. I have a call outstanding with
RH at the moment.
Could you try disabling the replay cache ? Did it improve the load ?
Are your rules repeating requesting authentication unnecessarily when it's
already been done? Amos was very helpful when advising on this (search for
the post..)
8000 users.. Only 30 helpers? What does cachemgr say about used negotiate
helper stats, timings/sec etc.
Is your krb5.conf using the nearest kdc in it's own site etc?
The kdc is only important for the client. The server (squid) never talks to
the kdc.
Some load testers out there incorporate Kerberos load testing.
Just my thoughts..
Nick
The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee,
any disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore
Conde Nast does not accept legal responsibility for the contents of this
message. Any views or opinions expressed are those of the author.
The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square,
London W1S 1JU
