Hi Amos,
Thanks for your response.
By using kerberos instead of ntlm scheme can the pop up occurring rarely
can be fixed?
Thanks
Senthil
Amos Jeffries wrote:
> On 31/01/11 18:44, Senthilkumar wrote:
>> Thank you .
>>
>> We are using squid 3.1.8 with 100 children for ntlm scheme. We have
>> about 500 users and around 75 req/sec.
>>
>> In the cache log rarely we see 100 pending ntlm requests and that time
>> squid reconfigures automatically.
>> Is it default behaviour of squid to reconfigure when ntlm are queued.?
>>
>
> No, reconfigure only happens when the administrator or some operating
> system controls runs "squid -k reconfigure".
>
> You may be seeing a crash and restart?
>
>
>> In the cache log we can see following errors also.
>>
>> 2011/01/31 10:59:02| AuthConfig::CreateAuthUser: Unsupported or
>> unconfigured/inactive proxy-auth scheme, 'Basic
>> bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw=='
>> 2011/01/31 10:59:18| AuthConfig::CreateAuthUser: Unsupported or
>> unconfigured/inactive proxy-auth scheme, 'Basic
>> bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw=='
>
> Normal message for a proxy without Basic auth configured when the
> client send Basic credentials to it.
>
> Squid is supposed to pause requests during the configure time. So why
> this shows up is a problem that needs to be found.
>
> Amos
>
>> Amos Jeffries wrote:
>>> On Tue, 25 Jan 2011 19:25:33 +0530, Senthilkumar wrote:
>>>> Hi Amos,
>>>>
>>>> I have followed the suggestions provided by you and if use deny
>>>> without "all" i am getting pop up when i access denied sites, it is
>>>> suppressed when i use all.
>>>> We use ntlm scheme to authenticate with domain users, all users can
>>>> authenticate without any prompt, while browsing out of 350 users only
>>>> 5-6 users getting prompt rarely(around 2-3 times a day)
>>>> There is no specific website or time the prompt appears. Please
>>>> suggest some troubleshooting ideas and cause for it.
>>>> The cache.log does not show any errors
>>>
>>> I'm not sure exactly which deny line you are describing as producing a
>>> popup. The config below looks right. Where you deny based on group
>>> lookups
>>> the lines should end with "all", as you saw not having it there
>>> produces
>>> the popup.
>>>
>>>
>>> NTLM can suffer from a few issues on connections and some bugs in
>>> Squid.
>>> Though both of these problems have been worked on and reduced in newer
>>> releases.
>>>
>>> If one of the "allow" group lookups is somehow failing this may
>>> produce a
>>> popup.
>>>
>>> I am not sure how one would check for these in production environment.
>>> The
>>> things to watch out for are the HTTP auth headers for the request
>>> before
>>> during and after the prompt appears. Whether this is happening on a
>>> connection while it stays up, or if the connection drops out on the
>>> challenge. Whether it happened on a new connection using some non-NTLM
>>> auth
>>> (ie a Windows 7 machine trying an unexpected encryption, or some
>>> background
>>> application with the wrong keys).
>>>
>>> Amos
>>>
>>
>
>
Received on Tue Feb 01 2011 - 03:32:13 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST