>Hi, > >At 20.32 23/06/2005, marpon@xxxxxxxxxxxxx wrote: > >>Hi, >> >>I have squid-2.5.ESTABLE6-3 installed with NTLM authentication to an active >>directory domain. According to the manual, the parameter authenticate_ttl >>and the option ttl of external_acl_type define a cache for authentication >>requests. >> >>But, although I have set them to a 20 minutes period, I see in the winbind >>log (and doing a tcpdump of the connection to the domain controller) that >>every request that the squid receives generates an authentication request >>to the domain controller. Is this right? Does the authentication cache >>works with ntlm authentication or is it just for basic/digest? >> >>Here is the interesting settings of my config file: >> >>auth_param ntlm program /usr/bin/ntlm_auth >>--helper-protocol=squid-2.5-ntlmssp >>auth_param ntlm children 5 >>auth_param ntlm max_challenge_reuses 100 >>auth_param ntlm max_challenge_lifetime 20 minutes >>auth_param ntlm use_ntlm_negotiate on >> >>authenticate_ttl 20 minutes >> >>external_acl_type nt_group ttl=3600 %LOGIN /usr/lib/squid/wbinfo_group.pl >> >> >>Another doubt: how is the relationship between authenticate_ttl and >>max_challenge_lifetime? > >This behaviour is correct by Microsoft NTLM design. When negotiated, >NTLM authentication cannot be cached: >You are using "use_ntlm_negotiate on", so every Challenge/Response >request must be handled from Winbind. > > > >When using "use_ntlm_negotiate on", max_challenge_reuses and >max_challenge_lifetime are not (and cannot be) used. > >This is the only stable configuration using NTLM, disabling >use_ntlm_negotiate is a worst option. > >Regards > >Guido Thanks for the clarification. I 'm in a real need of a way to minimize the impact on the domain controllers. Long story short, I have about 15 AD domains with domain controllers all over the world and many users that will use this proxy (today they are using ISA) belong to many of these different domains. That makes authentication a heavy process because many times the domain controller that receives the request from squid has to do a pass-trough and send the request to a DC over the wan. Multiply that for a thousand users and the situation today is that the current ISA server has temporary outages due to the authenticacion mechanism. (turning off auth solves the problem). My idea is to try to find a way, perhaps not the best nor the more adecuate general solution, it doesn 't matter, to minimize the number of request squid has to do to the DC. Is there such a way you can think of? Regards, Martin - ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/ -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
