Hi,
At 20.32 23/06/2005, marpon@marpon.com.ar wrote:
>Hi,
>
>I have squid-2.5.ESTABLE6-3 installed with NTLM authentication to an active
>directory domain. According to the manual, the parameter authenticate_ttl
>and the option ttl of external_acl_type define a cache for authentication
>requests.
>
>But, although I have set them to a 20 minutes period, I see in the winbind
>log (and doing a tcpdump of the connection to the domain controller) that
>every request that the squid receives generates an authentication request
>to the domain controller. Is this right? Does the authentication cache
>works with ntlm authentication or is it just for basic/digest?
>
>Here is the interesting settings of my config file:
>
>auth_param ntlm program /usr/bin/ntlm_auth
>--helper-protocol=squid-2.5-ntlmssp
>auth_param ntlm children 5
>auth_param ntlm max_challenge_reuses 100
>auth_param ntlm max_challenge_lifetime 20 minutes
>auth_param ntlm use_ntlm_negotiate on
>
>authenticate_ttl 20 minutes
>
>external_acl_type nt_group ttl=3600 %LOGIN /usr/lib/squid/wbinfo_group.pl
>
>
>Another doubt: how is the relationship between authenticate_ttl and
>max_challenge_lifetime?
This behaviour is correct by Microsoft NTLM design. When negotiated,
NTLM authentication cannot be cached:
You are using "use_ntlm_negotiate on", so every Challenge/Response
request must be handled from Winbind.
When using "use_ntlm_negotiate on", max_challenge_reuses and
max_challenge_lifetime are not (and cannot be) used.
This is the only stable configuration using NTLM, disabling
use_ntlm_negotiate is a worst option.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Fri Jun 24 2005 - 01:37:45 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:03 MDT