[squid-users] R: [squid-users] Problems authenticator on huge systems from Job on 2011-10-13 (squid-users)

From: Job <Job_at_colliniconsulting.it>
Date: Thu, 13 Oct 2011 16:48:00 +0200

Hello Luis,
nice reply, first of all, very very interesting...

I noticed in 3.1.8 it seems i cannot place the credenstialttl directive, i can only - in the ntlm schema - insert this: auth_param ntlm keep_alive on.

Is it right? I read it could give some incompatibility problems with IE.

Are there some other parameters to put, in the ntlm schema, 5-minutes cache?

Thank you again,
Francesco

________________________________________
Da: Luis Daniel Lucio Quiroz [luis.daniel.lucio_at_gmail.com]
Inviato: giovedì 13 ottobre 2011 15.49
A: frantz_at_itcserra.net
Cc: squid-users_at_squid-cache.org
Oggetto: Re: [squid-users] Problems authenticator on huge systems

2011/10/13 Francesco <frantz_at_itcserra.net>:
> Hello,
>
> in a proxy server with some hunderds of users, i experience temporary
> problems with ntlm authentication; Squid says access deny for some
> minutes, then everything returns working without any actions.
>
> In cache.log i noticed these errors:
> AuthNTLMUserRequest::authenticate: attempt to perform authentication
> without a connection!
>
> I raised up the per-process max open files to 4096; do you think i am low
> of authenticator process (200)?
> Could it be this the problem?
>
> I have no cache on ntlm auth helper...
>
> Thank you,
> Francesco
>

HELO Franchesco,

My first toughts is you shall consider a ntlm cache, about 5 minutes.
The fact is, that NTLM authentication does not work as basic
authentication. I mean, in basic authentication, once the browser
sends credentials, it always send credentials each time without
requesting them again. In ntlm, as my understanding, it is quite
different, browsers after a lapse of time will stop sending
credentials (the hash). So a cache will really offload the samba/AD
you are forwarding auth requests.

Taking as a reference your message, and without other evidence, i
guess problem is not between browser-squid, it could be
squid-ad/samba.

LD
http://www.twitter.com/ldlq
Received on Thu Oct 13 2011 - 14:49:44 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 13 2011 - 12:00:04 MDT