Search squid archive

Re: NTLM auth popup boxes && Solaris 8 tuning for upgrade into 2.7.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



vincent.blondel@xxxxxx wrote:
hello all,

I currently get some sun v210 boxes running solaris 8 and
squid-2.6.12
and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next
monday but before doing this I would like to ask you your advices
and/or
experiences with tuning these kind of boxes.

the service is running well today except we regularly get
authentication
popup boxes. This is really exasperating our Users. I already spent
lot
of times on the net in the hope finding a clear explanation about it
but
i am still searching. I already configured starting 128 ntlm_auth
processes on each of my servers. This gives better results but
problem
still remains. I also made some patching in my new package I will
deploy
next week by overwrting some samba values .. below my little patch ..


first of all, man thanks to enter this discussion in order to help me
solve my problems ..

Before digging deep into OS settings check your squid.conf auth, acl
and
http_access settings.

okay let's go concerning auth part of the squid.conf, I would like to
say, nothing special .. below the ntlm config part

auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 128
auth_param ntlm keep_alive on
acl ntlmauth proxy_auth REQUIRED
...
http_access allow ntlmauth all
http_reply_access allow all
http_access deny all
deny_info TCP_RESET all


Hmm, what those lines do is:
 - test the request for auth details (allow ntlmauth),
 - if correct details found, allow (allow ntlmauth all).
 - if none are found, or bad details ignore (allow ntlmauth all)
 - but send a RESET on the TCP link (deny all + TCP_RESET)

The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user.


The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong.

Does it work if you make that line just: http_access allow ntlmauth

Check the TTL settings on your auth config. If it's not long enough
squid
will re-auth between request and reply.

not really sure to understand what setting you are speaking about ??


auth_param ntlm ttl

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
  Current Beta Squid 3.1.0.2

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux