RE: smb_auth

very cool, you are right it is all on your website, thanks for your
response.

I am curious what the overhead is in doing these operations, i.e. If we have
hundreds of outgoing authentications once someone is authenticated is there
still overhead and resources used on the server? somewhere the
"authentication" of a user must be cached somewhere so that they do not have
to continue to auth with every REQUEST.

The reason I ask this is that we a firewall reseller and the firewall we
use(watchguard) seems to bottom out at 50 users authenticated(it also
supports NT auth and is a linux based firewall) however I am hoping to
bypass that problem by using smb_auth and having users use SQUID(which will
also increase performance).

I would just hate to recommend this to clients and find out that there is
some bottleneck that limits the number of authenticated users to 100 or so,
I am hoping we can do several hundred. Where would the limitation be SAMBA?
smb_auth? SQUID?

thanks for the response and all your hard work.

-----Original Message-----
From: Richard Huveneers [mailto:richard@hekkihek.hacom.nl]
Sent: Saturday, June 17, 2000 3:46 PM
To: Terry Singleton
Cc: squid-users@ircache.net
Subject: Re: smb_auth

Hi Terry,

> Well I just got SQUID running and using Richard's great smb_auth module it
> auths to NT just perfectly, I did have a couple last questions, I hope,
when
> I get prompted for a username and password the default login dialog asks
me
> for my username and password and it also displays
>
> Firewall: 192.168.1.250(the ip of the squid)
> REALM: Squid Proxy-caching web server
>
> Is there anyway to change any of these values, customize them?

The realm is configurable in the squid.conf file, do a search on the
current string.

> As well in squid.conf where I added the acl proxy:
>
> authenticate_program /usr/local/bin/smb_auth -W DOMAINNAME
> acl domainusers proxy_auth REQUIRED
> http_access allow domainusers
>
> I specified our domain name "DOMAINNAME" and I noticed that when prompted
> for username and password I could actually enter the windows nt
> DOMAINNAME\username notation for my username and it did authenticate me,
> does this mean if we have multiple domains and/or trust relationships that
> we have auth users from multi-domains just by having them use
> DOMAINNAME\username notation? and if so what does that mean for the
> proxyauth file on my domains controller? is smb_auth smart enough to go
look
> for it on the right domain controller?

Please have a look at the webpage on smb_auth it answers most of these
questions. In short: if you specify each domain on the smb_auth command-line
then yes it will work as expected. Each PDC should carry it's own proxyauth
file giving the respective admins the ability to control proxy access for
their users. Alternatively, you can use pass-through authentication if you
want a central proxyauth file.

Regards, Richard.
Received on Sat Jun 17 2000 - 17:42:49 MDT