Hi, At 20.32 23/06/2005, marpon@xxxxxxxxxxxxx wrote:
Hi, I have squid-2.5.ESTABLE6-3 installed with NTLM authentication to an active directory domain. According to the manual, the parameter authenticate_ttl and the option ttl of external_acl_type define a cache for authentication requests. But, although I have set them to a 20 minutes period, I see in the winbind log (and doing a tcpdump of the connection to the domain controller) that every request that the squid receives generates an authentication request to the domain controller. Is this right? Does the authentication cache works with ntlm authentication or is it just for basic/digest? Here is the interesting settings of my config file: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 100 auth_param ntlm max_challenge_lifetime 20 minutes auth_param ntlm use_ntlm_negotiate on authenticate_ttl 20 minutes external_acl_type nt_group ttl=3600 %LOGIN /usr/lib/squid/wbinfo_group.pl Another doubt: how is the relationship between authenticate_ttl and max_challenge_lifetime?
This behaviour is correct by Microsoft NTLM design. When negotiated, NTLM authentication cannot be cached: You are using "use_ntlm_negotiate on", so every Challenge/Response request must be handled from Winbind.
When using "use_ntlm_negotiate on", max_challenge_reuses and max_challenge_lifetime are not (and cannot be) used.
This is the only stable configuration using NTLM, disabling use_ntlm_negotiate is a worst option.
Regards Guido - ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/
