Over the last couple of weeks we (Kinkie and I) have stablised a number
of issues with the ntlm code.
I encourage those of you who are early adopters to update to the latest
NTLM code, which is available from the squid-cache.org page
http://www.squid-cache.org/Versions/v2/2.5/. You need a snapshot from
the 3rd of september or later to get these changes.
Squid 2.5 will hopefully be feature frozen soon, and its our goal to
have the NTLM code production ready by then - so any and all feedback is
welcomed! (Send to this list please).
The significant changes include:
* Only show the "Direction before Authenticate" message when unusual
conditions occur, not during normal authentication error conditions.
* Don't get stuck ntlm helpers.
* Fix a race condition within the NTLMSSP helper.
* Handle reconfiguration without asserting if outstanding ntlm
authentication is occuring. (The users may still get an error window).
* When an NTLM authentication error occurs for a given user, only fail
that connection, not all of that users authentication requests - this
should lead to an appearance of better reliability.
There are a number of smaller changes as well, all adding to reliability
and somewhat reducing configuratiom complexity.
NOTE: The parameters for the NTLMSSP helper have changed - be sure to
review them by running ntlm_auth -h
NOTE #2: Because squid cannot choose the challenge issued to the client,
if a problem with squid-DC communicate occurs, the client _will_ recieve
a popup password prompt. We cannot avoid that, so if you have flakey DC
communications, you may want to use the ntlm fail open option. This does
reduce the security somewhat, but allows you to prevent minor DC
problems causing user headaches.
In the future we hope to have a ntlm helper that can choose the
challenge to be used with the DC, which will allow us to handle DC
communication problems much better. Contacts have already been
established with the Samba team to work on this issue.
Rob
Received on Mon Sep 03 2001 - 05:28:08 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:01 MST