Re: [squid-users] NTLM auth popup boxes

From: Elvar <elvar@dont-contact.us>
Date: Thu, 13 Dec 2007 09:13:12 -0600

Adrian Chadd wrote:
> On Sat, Nov 03, 2007, Elvar wrote:
>
>> Hello all,
>>
>> I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is
>> configured to authenticate users to the Active Directory database via
>> the NTLM plugin. The problem I'm having is that approximately every
>> other day or sometimes sooner or sometime longer, users start getting a
>> popup box asking for auth credentials. Normally this is not the case as
>> it's handled automatically in the background. I'm forced to restart the
>> squid proxy server to resolve this. One thing I notice is that every
>> time it happens the number of squid child processes is greater than the
>> number listed in squid.conf. Currently I'm set at 'auth_param ntlm
>> children 150'. I'm not sure what is causing this login popup box but
>> it's really upsetting my users and I need to figure out a solution. Has
>> anyone else experienced this? Any have any suggestions?
>>
>
> A couple of possibilities:
>
> * Samba can't keep up with your request rate
> * Squid is blocking and missing out on processing the NTLM authentication
> results
>
> I suggest a few things:
>
> * How busy is the cache? Do you have graphs? If not, compile with snmp
> support and start graphing whatever you can
>
> * Look at your load and see if you're better off with aufs than ufs;
> aufs won't block (as much!) and should free Squid up to handle the
> helper replies quicker;
>
> * I've seen this happen at "back from lunch" enterprise situations where
> a few hundred people come back and fire up their browsers at the same
> time, overloading the NTLM authentication mechanism. Henrik's
> authentication IP caching patch (ntlm_ip_cache? I forget now) seems
> to do the trick but it comes with certain use restrictions.
> This depends on how busy your caches are; see point 1.
>
>
>
> Adrian
>
>
>

Hi Adrian,

Based on your suggestion to try and monitor how busy Squid is I followed
the directions at http://www.squid-cache.org/~wessels/squid-rrd/ to
produce some graphs. Have you by chanced played with this monitoring
setup? I have the graphs displaying but no actual data inside the graphs.

Regards,
Elvar

>> squid.conf listed below
>>
>> Kind regards
>> Elvar
>>
>> ################ Begin squid.conf ################
>>
>> acl localnet src 192.168.0.0/16
>> http_port 192.168.0.1:3128
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> acl all src 0.0.0.0/0.0.0.0
>> cache_dir ufs /usr/local/squid/cache 500 16 256
>> access_log /usr/local/squid/logs/access.log squid
>> #cache_log none
>> cache_log /usr/local/squid/logs/cache.log
>> cache_store_log none
>> emulate_httpd_log off
>> log_mime_hdrs on
>> check_hostnames off
>> auth_param ntlm keep_alive on
>>
>> auth_param ntlm program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445
>> auth_param ntlm children 150
>> #auth_param ntlm max_challenge_reuses 0
>> #auth_param ntlm max_challenge_lifetime 5 minutes
>>
>> #auth_param basic program /usr/local/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> #auth_param basic children 5
>> #auth_param basic realm WT
>> #auth_param basic credentialsttl 2 hours
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> ### Needed for Windows Update to work ###
>> acl windowsupdate dstdomain .windowsupdate.microsoft.com
>> acl windowsupdate dstdomain .update.microsoft.com
>> acl windowsupdate dstdomain .download.windowsupdate.com
>> acl windowsupdate dstdomain .c.microsoft.com
>> acl windowsupdate dstdomain .download.microsoft.com
>> http_access allow windowsupdate localnet
>> ##########################################
>>
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80 # http
>> acl CONNECT method CONNECT
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl AuthorizedUsers proxy_auth REQUIRED
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow all AuthorizedUsers
>> http_access deny all
>>
>> http_reply_access allow all
>> icp_access allow all
>>
>> cache_effective_user squid
>>
>> visible_hostname example.com
>>
>> logfile_rotate 20
>>
>> coredump_dir /usr/local/squid/cache
>>
>> ######################### End squid.conf ########################
>>
>
>
Received on Thu Dec 13 2007 - 08:13:28 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST