RE: [squid-users] some staff are randomly prompted for authentication

From: Charl Papenfus <charl.ipsec@dont-contact.us>
Date: Thu, 28 Jul 2005 11:32:57 +0200

Hi there

Had the same problem at one of my sites before. Squid only spawns a set
number of authentication processes, it's possible that the number of users
trying to reauthenticate at once are more than the number of processes.

Look at auth_param basic children 5 parameter in squid.conf

Regards
Charl
 

-----Original Message-----
From: Hugues Ferland [mailto:hugues@netc.net]
Sent: Wednesday, July 27, 2005 8:00 PM
To: Roger Riggins; squid-users@squid-cache.org
Subject: RE: [squid-users] some staff are randomly prompted for
authentication

IE have problem with multiple connections and NTLM. You should try to set
the following registry values in
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings"

Create the following DWORD values: MaxConnectionsPer1_0Server and
MaxConnectionsPerServer
For both of them, set the value to 1.

Hope this help.

Regards,

Hugues

-----Original Message-----
From: Roger Riggins [mailto:roger.riggins@lsiowa.org]
Sent: July 27, 2005 1:33 PM
To: squid-users@squid-cache.org
Subject: [squid-users] some staff are randomly prompted for
authentication

Hi all,

I'm a Linux noob. I've managed to get Linux, Samba, and Squid working
without bugging anybody. I've run into one hiccup that I'm unable to
figure out.

I'm requiring ntlm authentication for Squid which works great, but I've
had a few calls (and experienced it once myself) where Squid is
prompting for authentication after a user has been surfing already.

I'm hoping somebody will have some insight for me!

Thanks!
Roger Riggins

Here is my environment:

Red Hat Enterprise Linux ES release 3 (Taroon Update 5)
squid-2.5.STABLE3-6.3E.9
samba-3.0.9-1.3E.3 (connected to AD)
Clients are Windows Server 2003 Citrix sessions

Here are my configs:

************************************************
squid.conf:
************************************************

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all

icp_access allow all
visible_hostname cache01
coredump_dir /var/spool/squid
redirector_bypass off
[root@cache01 public]# vi squid.conf
[root@cache01 public]# cat squid.conf

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl AuthorizedUsers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow all AuthorizedUsers
http_access allow manager localhost
http_access deny manager
http_access allow Safe_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all

icp_access allow all
visible_hostname cache01
coredump_dir /var/spool/squid
redirector_bypass off

************************************************
smb.conf
************************************************

[global]
workgroup = DOMAIN
netbios name = cache01
server string = cache01 cache server
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
password server = *
encrypt passwords = yes
realm = domain.local

[public]
path = /usr/local/public
comment = public share
read only = no

************************************************
nsswitch.conf
************************************************

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

************************************************
krb5.conf
************************************************

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Roger Riggins
Network Administrator
Lutheran Services in Iowa
w: 319.859.3543
c: 319-290-5687
http://www.lsiowa.org
Received on Thu Jul 28 2005 - 03:29:43 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:03 MDT