Razvan Grigore wrote:
From: Serassio Guido <guido.serassio@xxxxxxxxxxxxxxx>
Date: Fri, 24 Jun 2005 09:37:06 +0200
Hi,
This behaviour is correct by Microsoft NTLM design. When negotiated,
NTLM authentication cannot be cached:
You are using "use_ntlm_negotiate on", so every Challenge/Response
request must be handled from Winbind.
When using "use_ntlm_negotiate on", max_challenge_reuses and
max_challenge_lifetime are not (and cannot be) used.
This is the only stable configuration using NTLM, disabling
use_ntlm_negotiate is a worst option.
Regards
Guido
Hello,
I want to know if this is true.
Very high likelihood of being true. Guido is the author of the NTLM
negotiate code.
I have Squid 3.0.STABLE10 on Centos
and I successfully implemented an NTLM transparent authenticator for
my proxy users.
The problem is that my NTLM auth helper has very intense activity
compared with my external acl helpers.
Here's the details:
NTLM Authenticator Statistics:
program: /usr/bin/ntlm_auth
number running: 10 of 10
requests sent: 5539
replies received: 5539
queue length: 0
avg service time: 0 msec
while:
External ACL Statistics: ad_group
Cache size: 155
program: /usr/lib/squid/squid_ldap_group
number running: 5 of 5
requests sent: 230
replies received: 230
queue length: 0
avg service time: 3 msec
and
External ACL Statistics: host_ad_group
Cache size: 112
program: /usr/lib/squid/hostname.pl
number running: 5 of 5
requests sent: 162
replies received: 162
queue length: 0
avg service time: 50 msec
So I think the external ACL's can successffuly cache the requests
while the ntlm auth can't.
I specified in squid.conf
authenticate_ttl 1 hour
authenticate_ip_ttl 30 minutes
and at the external acls ttl=1800.
What is the problem? And how can I reduce the AD query number?
Thank you!
Razvan
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
Current Beta Squid 3.1.0.3