enterprise-support team mailing list archive

Thread
Date

[Bug 1712786] [NEW] ntlm_auth helpers began infinitely storming Windows Server 2008R2 AD DC with SMB auth requests, when one or two Windows users starts their Chrome browser with a lot of tabs opened at once (there may be 30 to 70 tabs)

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Konstantin G <1712786@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Aug 2017 10:18:33 -0000
Reply-to: Bug 1712786 <1712786@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Ubuntu 16.04.3 64bit LTS squid 3.5 proxy server problem:

ntlm_auth helpers began infinitely storming Windows Server 2008R2 AD DC
with SMB auth requests, when one or two Windows users starts their
Chrome  browser with a lot of tabs opened at once (there may be 30 to 70
tabs). Meanwhile, existing or new client's browsers freezes opening web
pages completely. Packet dump didn't show any difference except requests
rate between normal behavior and auth request storm. CPU load didn't
show any anomalies. Debug entries in cache.log didn't show any errors or
difference with normal behavior except requests rate.

Usual request and response rate with domain controller, then auth hangs
is more than 200/second (100 requests per second). Normally it's less
than 5 requests per second.

killall ntlm_auth sometimes help, sometimes not, more oftenly helps
systemctl restart squid.

I increased helpers count up to 200 200 300 (start, idle, maximum).
Problem not gone completely, but become rare. Is that problem with
ntlm_auth helper itself or  with too low  helpers count? What could be
done to solve?

Windows clients - Windows 8.1 64 bit, Chrome version - 60, Squid
version: 3.5.12-1ubuntu7.4, Samba server version - 2:4.3.11+dfsg-
0ubuntu0.16.04.9. All updates on ubuntu server are installed.

root@proxy05:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial
Auth config from squid.conf:

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
        --kerberos /usr/lib/squid/negotiate_kerberos_auth -i -r -d \
        -s "HTTP/proxy05.hq.verita.local@HQ.VERITA.LOCAL" \
        -s GSS_C_NO_NAME \
        --ntlm /usr/bin/ntlm_auth \
        --helper-protocol=squid-2.5-ntlmssp \
        --domain=HQ \
        -s GSS_C_NO_NAME
auth_param negotiate children 40 startup=5 idle=10
auth_param negotiate keep_alive on

auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -P -R \
        -b "dc=hq,dc=verita,dc=local" \
        -D "proxy05-SQUIDkrb@hq.verita.local" \
        -W /etc/squid/ldappass.conf \
        -f "sAMAccountName=%s" -h dc01.hq.verita.local
auth_param basic children 30
auth_param basic realm "proxy05 SQUID Proxy Server Basic authentication!"
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 8 hour
authenticate_ttl 4 hour

** Affects: squid (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1712786

Title:
  ntlm_auth helpers began infinitely storming Windows Server 2008R2 AD
  DC with SMB auth requests, when one or two Windows users starts their
  Chrome  browser with a lot of tabs opened at once (there may be 30 to
  70 tabs)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1712786/+subscriptions

Follow ups

[Bug 1712786] Re: ntlm_auth helpers began infinitely storming Windows Server 2008R2 AD DC with SMB auth requests, when one or two Windows users starts their Chrome browser with a lot of tabs opened at once (there may be 30 to 70 tabs)
From: Andreas Hasenack, 2017-08-25