On 2/19/08, Guido Serassio <guido.serassio@xxxxxxxxxxxxxxxxx> wrote: > At 14:40 19/02/2008, Richard Wall wrote: > >First problem is that you have to reinterpret the Squid reported hit > >ratios when using NTLM auth. Only half of these are hits, the other > >half being TCP_DENIED/407 that form part of the NTLM auth negotiation. > This is caused by the NTLM over HTTP authentication sequence, look > here for details: > http://davenport.sourceforge.net/ntlm.html Guido, Yep, I've looked at it, but have not completely absorbed it yet :) > >Second problem is that the majority of requests seem to result in auth > >requests to the DC. There is an article describing Win2003 performance > >counters showing Number of auth requests / sec, but those counters > >don't seem to exist on my copy. > > * http://support.microsoft.com/kb/928576 > Correct, you should request the hotfix to Microsoft. Thanks will search it out. > What Samba version do you are using ? > I remember that in Samba 3.0.25 there was big changes into winbindd > regarding off-line logon support, but I don't know if this could help. # /usr/upgrade/samba/sbin/winbindd --version Version 3.0.24 So I guess I'll try compiling the latest version. Thanks for th tip. > Another question, what type of NTLM authentication is supported by curl ? > Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details) I'm not sure, but in full debug mode, curl will show the various headers it exchanges with the server. It seems to correspond to: * http://devel.squid-cache.org/ntlm/client_proxy_protocol.html ...but of course we're starting at point 4 which means that in real life, there'd be even more squid requests I guess. Anyway, here's the output from curl. Does this give enough information to work out which type is being used? {{{ * About to connect() to proxy 10.0.0.12 port 800 (#0) * Trying 10.0.0.12... connected * Connected to 10.0.0.12 (10.0.0.12) port 800 (#0) * Proxy auth using NTLM with user 'COVENTRYOFFICE\stafftest' > GET http://www.squid-cache.org/Images/img4.jpg HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= > User-Agent: curl/7.16.4 (i486-pc-linux-gnu) libcurl/7.16.4 OpenSSL/0.9.8e zlib/1.2.3.3 libidn/1.0 > Host: www.squid-cache.org > Accept: */* > Proxy-Connection: Keep-Alive > * HTTP 1.0, assume close after body < HTTP/1.0 407 Proxy Authentication Required < Server: squid/2.6.STABLE17 < Date: Tue, 19 Feb 2008 15:03:05 GMT < Content-Type: text/html < Content-Length: 1371 < Expires: Tue, 19 Feb 2008 15:03:05 GMT < X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADAAAAAGgokAN+ZK+JnmUOEAAAAAAAAAAIoAigA+AAAAQ09WRU5UUllPRkZJQ0UCABwAQwBPAFYARQBOAFQAUgBZAE8ARgBGAEkAQwBFAAEAEABBAFAALQBUAEUAUwBUADIABAAcAGMAYQBjAGgAZQAuAGUAMgBiAG4ALgBvAHIAZwADAC4AYQBwAC0AdABlAHMAdAAyAC4AYwBhAGMAaABlAC4AZQAyAGIAbgAuAG8AcgBnAAAAAAA= < X-Cache: MISS from ntlmsquidbox.test < X-Cache-Lookup: NONE from ntlmsquidbox.test:800 < Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17) * HTTP/1.0 proxy connection set to keep alive! < Proxy-Connection: keep-alive < * Ignoring the response-body { [data not shown] * Connection #0 to host 10.0.0.12 left intact * Issue another request to this URL: 'http://www.squid-cache.org/Images/img4.jpg' * Re-using existing connection! (#0) with host 10.0.0.12 * Connected to 10.0.0.12 (10.0.0.12) port 800 (#0) * Proxy auth using NTLM with user 'COVENTRYOFFICE\stafftest' > GET http://www.squid-cache.org/Images/img4.jpg HTTP/1.1 > Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAA4ADgBwAAAACQAJAH4AAAAIAAgAhwAAAAAAAAAAAAAABoKJAFb2ATKsj8TWAAAAAAAAAAAAAAAAAAAAAA6YY1ymLs5AgU5/lxbNCYtJnhdC67O5c0NPVkVOVFJZT0ZGSUNFc3RhZmZ0ZXN0cG9seXNydjE= > User-Agent: curl/7.16.4 (i486-pc-linux-gnu) libcurl/7.16.4 OpenSSL/0.9.8e zlib/1.2.3.3 libidn/1.0 > Host: www.squid-cache.org > Accept: */* > Proxy-Connection: Keep-Alive > * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Date: Tue, 19 Feb 2008 15:00:26 GMT < Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.5 with Suhosin-Patch < Last-Modified: Mon, 22 Jan 2007 10:51:58 GMT < ETag: "6daaa8-7083-d9b9ef80" < Accept-Ranges: bytes < Content-Length: 28803 < Content-Type: image/jpeg < Age: 159 < X-Cache: HIT from ntlmsquidbox.test HTTP/1.0 407 Proxy Authentication Required Server: squid/2.6.STABLE17 Date: Tue, 19 Feb 2008 15:03:05 GMT Content-Type: text/html Content-Length: 1371 Expires: Tue, 19 Feb 2008 15:03:05 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADAAAAAGgokAN+ZK+JnmUOEAAAAAAAAAAIoAigA+AAAAQ09WRU5UUllPRkZJQ0UCABwAQwBPAFYARQBOAFQAUgBZAE8ARgBGAEkAQwBFAAEAEABBAFAALQBUAEUAUwBUADIABAAcAGMAYQBjAGgAZQAuAGUAMgBiAG4ALgBvAHIAZwADAC4AYQBwAC0AdABlAHMAdAAyAC4AYwBhAGMAaABlAC4AZQAyAGIAbgAuAG8AcgBnAAAAAAA= X-Cache: MISS from ntlmsquidbox.test X-Cache-Lookup: NONE from ntlmsquidbox.test:800 Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17) Proxy-Connection: keep-alive HTTP/1.0 200 OK Date: Tue, 19 Feb 2008 15:00:26 GMT Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.5 with Suhosin-Patch Last-Modified: Mon, 22 Jan 2007 10:51:58 GMT ETag: "6daaa8-7083-d9b9ef80" Accept-Ranges: bytes Content-Length: 28803 Content-Type: image/jpeg Age: 159 X-Cache: < X-Cache-Lookup: HIT from ntlmsquidbox.test:800 < Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17) * HTTP/1.0 proxy connection set to keep alive! < Proxy-Connection: keep-alive < { [data not shown] HIT from ntlmsquidbox.test X-Cache-Lookup: HIT from ntlmsquidbox.test:800 Via: 1.0 ntlmsquidbox.test:800 (squid/2.6.STABLE17) Proxy-Connection: keep-alive > There are big difference between the security level and on the > performance impact, and currently all browsers automatically use > always the NTLMv2 type. Doesn't the --helper-protocol=squid-2.5-ntlmssp in squid.conf determine that NLTMv2 will be used? Looking at the man page for ntlm_auth suggests that lanman auth would require different parameters: * http://us1.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html This may seem like a stupid question, and my vague understanding of kerberos may be way off, but aren't there better alternatives to NTLM proxy auth if you're authenticating only against Active Directory servers? Doesn't Kerberos provide a time limited token to the authenticated windows domain client that can be passed to other machines in the domain as proof that the client is authenticated; and which can be used to lookup what services the client has acces to. In a perfect world shouldn't Internet Explorer just pass this token along with all requests to other machines in the same domain. My aims are: * to have a proxy that is only available to authenticated windows domain users. * that Internet Explorer should not prompt the user for their username and password if they have already logged onto the domain. * that squid should be able to record usernames alongside requests in its logs. * That dans guardian should be able to identify the username of the client. Is there some way I can get all this without paying the penalty of NTLM auth? Dear lazyweb can anyone can offer me alternatives. ;) -RichardW
