Re: [squid-users] Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple domain controllers

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 1 Jan 2004 19:46:23 +0100 (CET)

On 30 Dec 2003, Dave Augustus wrote:

> And I am thinking this: when a workstation logins to the Domain, it can
> hit *ANY* of the domain controllers, probably the primary. Then when the
> *SAME* client accesses the Internet with IE 6.0, Squid (via NTLM_AUTH)
> verifies the user with *ANY* of the domain controllers.

Yes, and this is how it is supposed to work, and also is how things works
when the user contacts any other Windows server in your network.

> Hence, there is the possibility of 2 sessions, one via the workstation
> and one via Internet Explorer/Squid- both on different domain
> controllers.

There is only one session. The authentication done via Samba (or any other
Windows server) does not start a new session, it just verifies that the
login+password is correct and some permission checks to validate that the
account is not blocked etc.

More likely your first suspicion is correct. The authentication gets
overloaded. The first thing you can try is to increase the number of NTLM
helpers.

Regards
Henrik
Received on Thu Jan 01 2004 - 11:46:26 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:02 MST