Re: [squid-users] NTLM Authenticator with big requests number from Amos Jeffries on 2009-01-12 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 13 Jan 2009 04:55:50 +1300

Razvan Grigore wrote:
>> From: Serassio Guido <guido.serassio_at_dont-contact.us>
>> Date: Fri, 24 Jun 2005 09:37:06 +0200
>>
>> Hi,
>>
>> This behaviour is correct by Microsoft NTLM design. When negotiated,
>> NTLM authentication cannot be cached:
>> You are using "use_ntlm_negotiate on", so every Challenge/Response
>> request must be handled from Winbind.
>>
>> When using "use_ntlm_negotiate on", max_challenge_reuses and
>> max_challenge_lifetime are not (and cannot be) used.
>>
>> This is the only stable configuration using NTLM, disabling
>> use_ntlm_negotiate is a worst option.
>>
>> Regards
>>
>> Guido
>>
>
> Hello,
>
> I want to know if this is true.

Very high likelihood of being true. Guido is the author of the NTLM
negotiate code.

> I have Squid 3.0.STABLE10 on Centos
> and I successfully implemented an NTLM transparent authenticator for
> my proxy users.
>
> The problem is that my NTLM auth helper has very intense activity
> compared with my external acl helpers.
>
> Here's the details:
>
> NTLM Authenticator Statistics:
> program: /usr/bin/ntlm_auth
> number running: 10 of 10
> requests sent: 5539
> replies received: 5539
> queue length: 0
> avg service time: 0 msec
>
>
> while:
>
> External ACL Statistics: ad_group
> Cache size: 155
> program: /usr/lib/squid/squid_ldap_group
> number running: 5 of 5
> requests sent: 230
> replies received: 230
> queue length: 0
> avg service time: 3 msec
>
> and
>
> External ACL Statistics: host_ad_group
> Cache size: 112
> program: /usr/lib/squid/hostname.pl
> number running: 5 of 5
> requests sent: 162
> replies received: 162
> queue length: 0
> avg service time: 50 msec
>
>
> So I think the external ACL's can successffuly cache the requests
> while the ntlm auth can't.
>
> I specified in squid.conf
>
> authenticate_ttl 1 hour
> authenticate_ip_ttl 30 minutes
>
> and at the external acls ttl=1800.
>
> What is the problem? And how can I reduce the AD query number?
>
> Thank you!
> Razvan

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
   Current Beta Squid 3.1.0.3

Received on Mon Jan 12 2009 - 15:57:24 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 13 2009 - 12:00:03 MST