Re: [squid-users] questions around NTLM authentication

From: Amos Jeffries <>
Date: Tue, 04 May 2010 23:28:45 +0000

On Tue, 04 May 2010 17:45:44 +0200, wrote:
> Hello,
> Using Squid for 6 years now, quite happily.
> We have moved from ldap to AD authentication a few months ago.
> using :
> squid-2.7.STABLE7
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> external_acl_type ad_group children=30 %LOGIN
> /proxy1/libexec/
> ntlm_auth and wbinfo come from : samba-common-3.0.33-3.14.el5 (on rhel
> We are suffering from a few problems :
> - when one of the 2 DC server fails, samba will not failover to the
> DC server quickly enough for the users comfort. Has anyone faced the
> problem ? ( we have no SRV records )
> The solution relies entirely on samba config + dns failovers, so I'm not
> hoping
> for a solution on this mailing list. Just other users feedback.
> - As a workaround, I would like to increase the value of the
> authenticate-ip-shortcircuit-ttl parameter. It is currently at 300
> seconds, I
> would put it at 36000 seconds (10hours). So the NTLM authentication
> really
> only happen
> once a working day.
> What would be the drawbacks ? Is such a value reasonable technically ? (
> memory
> buffers will handle this correctly ?)

It's a controlled security breach. You are effectively setting that the IP
address (from any machine) is to be assumed as logged in with the initial
users credentials.
 This assumption remains active until the end of the timeout, whether the
user has logged off and another sat down at the machine, or whether they
machine is turned off and another has been assigned the DHCP lease.
Personally, given the choice I'd remove the option entirely from Squid. It
only exists to buffer problems caused by the design of NTLM.

> - wbinfo has stopped working twice in two months. (I will tackle this
> topic with
> samba support).
> Again , anyone else seeing such behavior ?
> An excerpt of the cache log :
> Could not get groups for user dotdot
> 2010/04/28 23:47:39| AuthenticateNTLMHandleReply: Helper '0x96b4c90'
> crashed!.
> 2010/04/28 23:47:39| assertion failed: helper.c:332: "!srv->request"
> 2010/04/28 23:47:47| Starting Squid Cache version 2.7.STABLE7 for
> i686-pc-linux-gnu...
> Is this normal that SQuid should restart on such a problem ? (just
> wondering).

Restart kills all stored authentication credentials and makes Squid
re-check all requests with the backend.
NTLM requires several handshake HTTP requests to go through for a backend
check. This means Squid has to reject the given end-process NTLM tokens and
fetch new initial tokens from the browser after a restart. The NTLM backend
is also known for its low limit on parallel connections processed which
compounds this type of issue.

> Finally, would another authentication means to AD be more reliable ?
> Kerberos
> maybe ?

Yes. Kerberos uses a stronger encryption type and does away with most of
the handshake portion of NTLM. So Squid able to do a less intrusive
re-check of the tokens after a restart or reconfigure. Also the backends so
fas as I know have not had the same connection limits reported that NTLM
suffers from.

Additionally, NTLM has been officially deprecated by Microsoft along with
Windows XP and not supported by their Windows 7 and later software.
Kerberos is the model they are moving to.

Received on Tue May 04 2010 - 23:28:51 MDT

This archive was generated by hypermail 2.2.0 : Wed May 05 2010 - 12:00:04 MDT