+ Post New Thread
Results 1 to 13 of 13
*nix Thread, Internet Filter is Sloooooooow... in Technical; Hi all, I'm pretty sure this is a Linux problem rather than a filter problem so I've put this here ...
  1. #1
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25

    Internet Filter is Sloooooooow...

    Hi all,

    I'm pretty sure this is a Linux problem rather than a filter problem so I've put this here for now...

    Basically I have, at length and with the help of serveral guides written by people who know far more about linux that me, built an Intenet Filter using squid and dansguardian running on Ubuntu (desktop - not the server edition). It works fine, we use a little program on the client called smoothwallIDT (no relation to the smoothwall products themselve I'm told) that basically wraps the username and computer details in the IDENT protocal. DansGuardian can then read it and give appropriate group access (banned, moderate filtering, heavy filtering, unbanned).

    The trouble has been that the idt program sometimes doesn't load on boot and so users are not getting internet. So this time I built the filter, bound it to the domain using winbind, samba, kerberos, squid and dans, and with much fiddling have fudged it to authenticate directly from Active Directory using NTLM.

    All well and good - this does actually work. But it is unusably slow. It never takes less than 5 minutes to load google. Yahoo is timed at 9 minutes. The filter is designed to authenticate using either IDENT or NTLM, so if the idt program is running it uses that intead. In that case, it works fine and loads in seconds.

    Now admittedly I'm not running this system on a proper server, just a desktop workstation. But it is a brand new desktop, an HP dc5800, C2D 3GHz, 2 GB ram, etc. And it is just me on my lone computer having my internet filtered to test it, rather than the whole school. So I don't think it has any excuse to be this slow!!

    As I understand it, ntlm_auth uses a handshake protocol to authenticate, but nothing I have read implies that it should be this slow. If I swap over and make people use this, they will thing that we just downgraded to dial-up modems

    Any thoughts on what I could do to speed things up?

    Many thanks!!

  2. #2

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Anything out of the ordinary in the log files?

    /var/log/messages
    /var/log/squid/ - cache.log, error.log (or whatever else is there)

    Have you tried switching to just NTLM and getting rid of IDENT? Do you have IPv6 enabled? Having IPv6 enabled on IPv4-only networks can sometimes cause networking delays.

    EDIT: And how many child processes do you use for the NTLM auth process? I remember a long time ago we made this a large amount as we thought it would be better; but 5 was sufficient.
    Last edited by webman; 23rd March 2010 at 09:12 AM.

  3. Thanks to webman from:

    Tyiell (24th March 2010)

  4. #3
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,355
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Weird! I wouldn't think its the speed, our proxy is an old RM FSeries with about 1GB Ram and a P4 2.4..... its shocking but delivers the web fast enough!!! We use IDENT authentication, its fails sometimes which is annoying but most of the time it is reliable.

    Use wireshark to look for collisions or unneccesary traffic from the box.

  5. Thanks to Jamo from:

    Tyiell (24th March 2010)

  6. #4
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Quote Originally Posted by webman View Post
    Anything out of the ordinary in the log files?

    /var/log/messages
    /var/log/squid/ - cache.log, error.log (or whatever else is there)

    Have you tried switching to just NTLM and getting rid of IDENT? Do you have IPv6 enabled? Having IPv6 enabled on IPv4-only networks can sometimes cause networking delays.

    EDIT: And how many child processes do you use for the NTLM auth process? I remember a long time ago we made this a large amount as we thought it would be better; but 5 was sufficient.
    I have 5 child processes running. I haven't intentionally set IPv6 to enabled - is that a setting in squid, or in the networking on the machine?

    I'll try it without IDENT next and let you know how it does.

    Cheers!

  7. #5
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Quote Originally Posted by Jamo View Post
    Weird! I wouldn't think its the speed, our proxy is an old RM FSeries with about 1GB Ram and a P4 2.4..... its shocking but delivers the web fast enough!!! We use IDENT authentication, its fails sometimes which is annoying but most of the time it is reliable.

    Use wireshark to look for collisions or unneccesary traffic from the box.
    Good thought - I'll give that a shot!

  8. #6

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    I believe disabling IPv6 varies between versions. Google for "Ubuntu <version name> disable ipv6".

    But it will be similar to the procedures outlined in these:

    How-To: Disable IPV6 to speed up Internet. [Archive] - Ubuntu Forums
    How to Disable IPV6 in Ubuntu|Ubuntu Geek

  9. #7
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Hmm. It seems to have stopped working entirely now...

    Earlier this morning when it was working I didn't have anything helpfull in the logs. Now I have errors in cache log as follows:

    Code:
    utils/ntlm_auth.c:173(get_winbind_domain) could not obtain winbind domain name!
    WARNING: ntlmauthenticator #2 (FD 8) exited
    WARNING: ntlmauthenticator #5 (FD 11) exited
    WARNING: ntlmauthenticator #1 (FD 12) exited
    WARNING: ntlmauthenticator #3 (FD 14) exited
    So it has stopped authenticating. All I've changed is disabled IPv6 (which we don't use, so that shouldn't be it) and disabled the IDENT. Which I have now turned back on, but it doesn't fix it. How weird!!

    Once I've beaten it until it works again, I'll carry on with your suggestions, but if this post goes dead for half a day or so, you know it's being stubborn!

    Thanks for your help so far!!

  10. #8

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Can the box still communicate with the internet and the Windows servers? Do things like wbinfo -u, wbinfo -t etc from the terminal.

  11. #9
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Quote Originally Posted by webman View Post
    Can the box still communicate with the internet and the Windows servers? Do things like wbinfo -u, wbinfo -t etc from the terminal.
    wbinfo -u/-t both fail. The server can still see the internet itself, and ping the dc. The computer connected tot he internet through it is prompted for a windows dmoain-style login box, but rejects a correct login until I get the a "squid cache Access Denied" page.

    Not sure what I did to it, but it's not happy

  12. #10

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Perhaps it's grumbling about the IPv6 changes - just for curiosity's sake, un-do the disabling you did before to see if that helps it.

    Again, there could be something in the logs - likely to be in /var/log/samba.

  13. #11


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    It may be that your Ad is taking too long to respond to queries? I know we cache auth results to keep things nippy, but then I have heard tell of setups like you describe working for smaller numbers of users.

  14. Thanks to tom_newton from:

    Tyiell (24th March 2010)

  15. #12
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Hi all,

    Thanks for your help yesterday! It is all fixed now, but as is so often the case when I work in Linux, I'm not entirely sure what I did to fix it!! I just get frustrated until I just start changing things that look in some way suspicious until I either kill it completely or fix it. Guess I got lucky this time!

    Seriously though, one of the reasons may well be the removal of Ident from the plugins as webman suggested straight out - I had tried this yesterday and had thought it hadn't worked, but as it transpired the system had already mysteriously died by that point.

    In case anyone else stumbles upon this later, it is also worth noting that the permissions on /var/run/samba/winbindd_priviledged are set wrong everytime the service restarts - it needs the group to be "proxy" and the group needs write access. I'll have to work on a script to change that automatically on the service restart, but for now I'm busy being chuffed that my filter works and authenticates from a windows domain!! Beers for me tonight!!

    Thanks again for all your suggestions!

  16. #13

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    You're welcome.

    Quote Originally Posted by Tyiell View Post
    It is all fixed now, but as is so often the case when I work in Linux, I'm not entirely sure what I did to fix it!!
    Sounds strangely familiar!

SHARE:
+ Post New Thread

Similar Threads

  1. Internet Filter "Black-List"
    By phughes in forum Network and Classroom Management
    Replies: 3
    Last Post: 25th September 2008, 03:31 PM
  2. Doh - filter - what filter
    By SimpleSi in forum General Chat
    Replies: 16
    Last Post: 28th January 2008, 10:14 AM
  3. VMWare internet content filter server
    By netadmin in forum *nix
    Replies: 3
    Last Post: 30th May 2007, 08:12 AM
  4. Checking internet filter logs...
    By _Bat_ in forum How do you do....it?
    Replies: 15
    Last Post: 13th December 2006, 04:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •