Re: [squid-users] NTLM auth popup boxes

On Sat, Nov 03, 2007, Elvar wrote:
> Hello all,
>
> I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is
> configured to authenticate users to the Active Directory database via
> the NTLM plugin. The problem I'm having is that approximately every
> other day or sometimes sooner or sometime longer, users start getting a
> popup box asking for auth credentials. Normally this is not the case as
> it's handled automatically in the background. I'm forced to restart the
> squid proxy server to resolve this. One thing I notice is that every
> time it happens the number of squid child processes is greater than the
> number listed in squid.conf. Currently I'm set at 'auth_param ntlm
> children 150'. I'm not sure what is causing this login popup box but
> it's really upsetting my users and I need to figure out a solution. Has
> anyone else experienced this? Any have any suggestions?

A couple of possibilities:

* Samba can't keep up with your request rate
* Squid is blocking and missing out on processing the NTLM authentication
  results

I suggest a few things:

* How busy is the cache? Do you have graphs? If not, compile with snmp
  support and start graphing whatever you can

* Look at your load and see if you're better off with aufs than ufs;
  aufs won't block (as much!) and should free Squid up to handle the
  helper replies quicker;

* I've seen this happen at "back from lunch" enterprise situations where
  a few hundred people come back and fire up their browsers at the same
  time, overloading the NTLM authentication mechanism. Henrik's
  authentication IP caching patch (ntlm_ip_cache? I forget now) seems
  to do the trick but it comes with certain use restrictions.
  This depends on how busy your caches are; see point 1.

Adrian

>
> squid.conf listed below
>
> Kind regards
> Elvar
>
> ################ Begin squid.conf ################
>
> acl localnet src 192.168.0.0/16
> http_port 192.168.0.1:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl all src 0.0.0.0/0.0.0.0
> cache_dir ufs /usr/local/squid/cache 500 16 256
> access_log /usr/local/squid/logs/access.log squid
> #cache_log none
> cache_log /usr/local/squid/logs/cache.log
> cache_store_log none
> emulate_httpd_log off
> log_mime_hdrs on
> check_hostnames off
> auth_param ntlm keep_alive on
>
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445
> auth_param ntlm children 150
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 5 minutes
>
> #auth_param basic program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> #auth_param basic children 5
> #auth_param basic realm WT
> #auth_param basic credentialsttl 2 hours
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> ### Needed for Windows Update to work ###
> acl windowsupdate dstdomain .windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain .download.windowsupdate.com
> acl windowsupdate dstdomain .c.microsoft.com
> acl windowsupdate dstdomain .download.microsoft.com
> http_access allow windowsupdate localnet
> ##########################################
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl CONNECT method CONNECT
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl AuthorizedUsers proxy_auth REQUIRED
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all AuthorizedUsers
> http_access deny all
>
> http_reply_access allow all
> icp_access allow all
>
> cache_effective_user squid
>
> visible_hostname example.com
>
> logfile_rotate 20
>
> coredump_dir /usr/local/squid/cache
>
> ######################### End squid.conf ########################

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -