Search squid archive

Re: authenticate_ttl and ntlm_auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>Hi,
>
>At 20.32 23/06/2005, marpon@xxxxxxxxxxxxx wrote:
>
>>Hi,
>>
>>I have squid-2.5.ESTABLE6-3 installed with NTLM authentication to an
active
>>directory domain. According to the manual, the parameter authenticate_ttl
>>and the option ttl of external_acl_type define a cache for authentication
>>requests.
>>
>>But, although I have set them to a 20 minutes period, I see in the winbind
>>log (and doing a tcpdump of the connection to the domain controller) that
>>every request that the squid receives generates an authentication request
>>to the domain controller. Is this right? Does the authentication cache
>>works with ntlm authentication or is it just for basic/digest?
>>
>>Here is the interesting settings of my config file:
>>
>>auth_param ntlm program /usr/bin/ntlm_auth
>>--helper-protocol=squid-2.5-ntlmssp
>>auth_param ntlm children 5
>>auth_param ntlm max_challenge_reuses 100
>>auth_param ntlm max_challenge_lifetime 20 minutes
>>auth_param ntlm use_ntlm_negotiate on
>>
>>authenticate_ttl 20 minutes
>>
>>external_acl_type nt_group ttl=3600 %LOGIN /usr/lib/squid/wbinfo_group.pl
>>
>>
>>Another doubt: how is the relationship between authenticate_ttl and
>>max_challenge_lifetime?
>
>This behaviour is correct by Microsoft NTLM design. When negotiated, 
>NTLM authentication cannot be cached:
>You are using  "use_ntlm_negotiate on", so every Challenge/Response 
>request must be handled from Winbind.
>
>
>
>When using "use_ntlm_negotiate on", max_challenge_reuses and 
>max_challenge_lifetime are not (and cannot be) used.
>
>This is the only stable configuration using NTLM, disabling 
>use_ntlm_negotiate is a worst option.
>
>Regards
>
>Guido

Thanks for the clarification. I 'm in a real need of a way to minimize the
impact on the domain controllers. Long story short, I have about 15 AD
domains with domain controllers all over the world and many users that will
use this proxy (today they are using ISA) belong to many of these different
domains. That makes authentication a heavy process because many times the
domain controller that receives the request from squid has to do a
pass-trough and send the request to a DC over the wan. 

Multiply that for a thousand users and the situation today is that the
current ISA server has temporary outages due to the authenticacion
mechanism.  (turning off auth solves the problem). 

My idea is to try to find a way, perhaps not the best nor the more adecuate
general solution, it doesn 't matter, to minimize the number of request
squid has to do to the DC. 

Is there such a way you can think of? 

Regards, 

Martin




-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1           10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it/



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux