Hello all, something I wanted to add to this thread which I thought may
have something to do with the problem is the following I'm consistently
seeing in my squid cache log...
[2008/01/18 12:16:28, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
got NTLMSSP command 3, expected 1
[2008/01/18 12:18:07, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
got NTLMSSP command 3, expected 1
[2008/01/18 12:19:05, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
got NTLMSSP command 3, expected 1
[2008/01/18 12:19:20, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
got NTLMSSP command 3, expected 1
Would that be the cause of my auth popup boxes in browsers? If so, is
this fixable yet? I ran across this thread while searching for those
errors...
http://www.squid-cache.org/mail-archive/squid-users/200606/0362.html
Kind regards,
Elvar
Amos Jeffries wrote:
Adrian Chadd wrote:
On Sat, Nov 03, 2007, Elvar wrote:
Hello all,
I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is
Please upgrade to STABLE17. There is a security problem in earlier releases.
configured to authenticate users to the Active Directory database via
the NTLM plugin. The problem I'm having is that approximately every
other day or sometimes sooner or sometime longer, users start getting a
popup box asking for auth credentials. Normally this is not the case as
it's handled automatically in the background. I'm forced to restart the
squid proxy server to resolve this. One thing I notice is that every
time it happens the number of squid child processes is greater than the
number listed in squid.conf. Currently I'm set at 'auth_param ntlm
children 150'. I'm not sure what is causing this login popup box but
it's really upsetting my users and I need to figure out a solution. Has
anyone else experienced this? Any have any suggestions?
A couple of possibilities:
* Samba can't keep up with your request rate
* Squid is blocking and missing out on processing the NTLM
authentication
results
I suggest a few things:
* How busy is the cache? Do you have graphs? If not, compile with snmp
support and start graphing whatever you can
* Look at your load and see if you're better off with aufs than ufs;
aufs won't block (as much!) and should free Squid up to handle the
helper replies quicker;
* I've seen this happen at "back from lunch" enterprise situations where
a few hundred people come back and fire up their browsers at the same
time, overloading the NTLM authentication mechanism. Henrik's
authentication IP caching patch (ntlm_ip_cache? I forget now) seems
to do the trick but it comes with certain use restrictions.
This depends on how busy your caches are; see point 1.
Adrian
Well, I've set up squid-rrd now on two different boxes at two different
locations to monitor performance and it doesn't appear that Squid is
being overworked. Is there a way to possibly increase the TTL for
queries against Active Directory? I've been battling with this problem
for months now and cannot for the life of me figure out what's causing
the problem.
Thanks,
Elvar
squid.conf listed below
Kind regards
Elvar
################ Begin squid.conf ################
acl localnet src 192.168.0.0/16
http_port 192.168.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
cache_dir ufs /usr/local/squid/cache 500 16 256
access_log /usr/local/squid/logs/access.log squid
#cache_log none
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
emulate_httpd_log off
log_mime_hdrs on
check_hostnames off
auth_param ntlm keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
--require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445
auth_param ntlm children 150
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 5 minutes
#auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
#auth_param basic children 5
#auth_param basic realm WT
#auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
### Needed for Windows Update to work ###
acl windowsupdate dstdomain .windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain .download.windowsupdate.com
acl windowsupdate dstdomain .c.microsoft.com
acl windowsupdate dstdomain .download.microsoft.com
http_access allow windowsupdate localnet
##########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
Ah, here is part of the problem.
Using this 'all' hack to silence the login box it needs 'all' to be at
the very end of the line. Otherwse all has no meaning there.
http_access allow AuthorizedUsers all
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
visible_hostname example.com
logfile_rotate 20
coredump_dir /usr/local/squid/cache
######################### End squid.conf ########################