Search squid archive

Re: NTLM authentication testing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

At 14:40 19/02/2008, Richard Wall wrote:


First problem is that you have to reinterpret the Squid reported hit
ratios when using NTLM auth. Only half of these are hits, the other
half being TCP_DENIED/407 that form part of the NTLM auth negotiation.
This is caused by the NTLM over HTTP authentication sequence, look here for details: 
http://davenport.sourceforge.net/ntlm.html


Second problem is that the majority of requests seem to result in auth
requests to the DC. There is an article describing Win2003 performance
counters showing Number of auth requests / sec, but those counters
don't seem to exist on my copy.
 * http://support.microsoft.com/kb/928576


Correct, you should request the hotfix to Microsoft.



Instead I used the difference in a minute of the total number of
security events (as shown in the titel bar of the windows event
viewer.
 * ~127 successful auth events per second
...which is about the same as the client_http.hits reported by squid.

I have the following setting defined in smb.conf:
 * winbind cache time = 10
...which clearly isn't being respected.

 * Does anyone else see this behaviour or have you managed to get auth
requests cached by winbindd?
 * Can winbindd even do caching of auth reqests or is it only
concerned with caching other domain data?


What Samba version do you are using ?
I remember that in Samba 3.0.25 there was big changes into winbindd regarding off-line logon support, but I don't know if this could help. 

Another question, what type of NTLM authentication is supported by curl ?
Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details)
There are big difference between the security level and on the performance impact, and currently all browsers automatically use always the NTLMv2 type. 

Regards

Guido



-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1           10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: guido.serassio@xxxxxxxxxxxxxxxxx
WWW: http://www.acmeconsulting.it/
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux