Search squid archive

Re: NTLM auth popup boxes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Adrian Chadd wrote:
On Sat, Nov 03, 2007, Elvar wrote:
Hello all,

I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions?

A couple of possibilities:

* Samba can't keep up with your request rate
* Squid is blocking and missing out on processing the NTLM authentication
  results

I suggest a few things:

* How busy is the cache? Do you have graphs? If not, compile with snmp
  support and start graphing whatever you can

* Look at your load and see if you're better off with aufs than ufs;
  aufs won't block (as much!) and should free Squid up to handle the
  helper replies quicker;

* I've seen this happen at "back from lunch" enterprise situations where
  a few hundred people come back and fire up their browsers at the same
  time, overloading the NTLM authentication mechanism. Henrik's
  authentication IP caching patch (ntlm_ip_cache? I forget now) seems
  to do the trick but it comes with certain use restrictions.
  This depends on how busy your caches are; see point 1.



Adrian


Well, I've set up squid-rrd now on two different boxes at two different locations to monitor performance and it doesn't appear that Squid is being overworked. Is there a way to possibly increase the TTL for queries against Active Directory? I've been battling with this problem for months now and cannot for the life of me figure out what's causing the problem.



Thanks,
Elvar


squid.conf listed below

Kind regards
Elvar

################ Begin squid.conf ################

acl localnet src 192.168.0.0/16
http_port 192.168.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
cache_dir ufs /usr/local/squid/cache 500 16 256
access_log /usr/local/squid/logs/access.log squid
#cache_log none
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
emulate_httpd_log off
log_mime_hdrs on
check_hostnames off
auth_param ntlm keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445
auth_param ntlm children 150
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 5 minutes

#auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param basic children 5
#auth_param basic realm WT
#auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern .       0   20% 4320

### Needed for Windows Update to work ###
acl windowsupdate dstdomain .windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain .download.windowsupdate.com
acl windowsupdate dstdomain .c.microsoft.com
acl windowsupdate dstdomain .download.microsoft.com
http_access allow windowsupdate localnet
##########################################


acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl AuthorizedUsers proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access deny all

http_reply_access allow all
icp_access allow all

cache_effective_user squid

visible_hostname example.com

logfile_rotate 20

coredump_dir /usr/local/squid/cache

######################### End squid.conf ########################



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux