[squid-users] questions around NTLM authentication

From: <apmailist_at_free.fr>
Date: Tue, 04 May 2010 17:45:44 +0200


Using Squid for 6 years now, quite happily.
We have moved from ldap to AD authentication a few months ago.
using :
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
external_acl_type ad_group children=30 %LOGIN /proxy1/libexec/wbinfo_group.pl
ntlm_auth and wbinfo come from : samba-common-3.0.33-3.14.el5 (on rhel 5.4)

We are suffering from a few problems :
- when one of the 2 DC server fails, samba will not failover to the second
DC server quickly enough for the users comfort. Has anyone faced the same
problem ? ( we have no SRV records )
The solution relies entirely on samba config + dns failovers, so I'm not hoping
for a solution on this mailing list. Just other users feedback.

- As a workaround, I would like to increase the value of the
authenticate-ip-shortcircuit-ttl parameter. It is currently at 300 seconds, I
would put it at 36000 seconds (10hours). So the NTLM authentication would really
only happen
once a working day.
What would be the drawbacks ? Is such a value reasonable technically ? ( memory
buffers will handle this correctly ?)

- wbinfo has stopped working twice in two months. (I will tackle this topic with
samba support).
Again , anyone else seeing such behavior ?
An excerpt of the cache log :
Could not get groups for user dotdot
2010/04/28 23:47:39| AuthenticateNTLMHandleReply: Helper '0x96b4c90' crashed!.
2010/04/28 23:47:39| assertion failed: helper.c:332: "!srv->request"
2010/04/28 23:47:47| Starting Squid Cache version 2.7.STABLE7 for
Is this normal that SQuid should restart on such a problem ? (just wondering).

Finally, would another authentication means to AD be more reliable ? Kerberos
maybe ?


Received on Tue May 04 2010 - 15:45:54 MDT

This archive was generated by hypermail 2.2.0 : Wed May 05 2010 - 12:00:04 MDT