NTLM negotiate + IP authentication caching for heavily used squid deployments...

[jason lawrence <clifter1@xxxxxxxxx>]

Hi all,

  We are looking to replace our proxy infrastructure
with squid, but I am concerned about the performance of squid using the
ntlm_auth samba handler (specifically using negotiate).  We are almost
ready to do some Loadrunner stress tests, but I wanted to see if anyone
had some base statistics out there?  I saw that squid uses authenticate_ip_shortcircuit_ttl in 2.7.  Has anyone used the IP caching feature, and are there plans to
port it to the 3.x branch? (we are really after the ICAP functionallity)
 
I am currently investigating a way to push our AD user/group
listings into a flat file tree once a night, so squidGuard can do AD
group lookups locally.  That should save authorization cycles, but the
samba authentication is what really worries me...  I really wish
kerberos was prevelent enought that we could just force kerberos/Basic,
but that's the way it goes...  I don't even know how we could load test
kerberos authentication... 

Current deployment:
------------------------------------------------------

squid:           3.0.11
squidGuard:  1.4
samba:         3.2.7
server:          RHAS 5.2  64bit   (Sunfire 4100 8gigs of ram)


Current configs (squid is not yet optimized)
--------------------------------------------------------------------
http_port                     xx.xx.x.xxx:8080
tcp_outgoing_address  xx.xx.x.xxx

#####################################################################
#       AUTHENTICATION
#####################################################################

auth_param negotiate program /dev/pkgs/linux/intel/squid/3.0.11/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

auth_param basic program /dev/pkgs/linux/intel/samba/3.2.7/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 6 hours
auth_param basic casesensitive off

#####################################################################
#       ACL'S
#####################################################################

acl manager proto cache_object
acl localhost src 127.0.0.1/32 
acl to_localhost dst 127.0.0.0/8 
acl CONNECT method CONNECT
acl java browser Java/1.3 Java/1.4
acl ntlm_users proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access allow java
http_access allow ntlm_users
http_access deny all

#####################################################################
#       DNS Settings
#####################################################################

dns_defnames on
dns_nameservers xx.xx.xx.xxx xx.xx.xx.xxx

#####################################################################
#
#####################################################################

hierarchy_stoplist cgi-bin ?
access_log /etrade/pkgs/linux/intel/squid/3.0.11/var/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
icp_port 3130
coredump_dir /etrade/pkgs/linux/intel/squid/3.0.11/var/cache

#####################################################################
#       Squid Guard
#####################################################################

redirect_program     /dev/pkgs/linux/intel/squidGuard/1.4/bin/squidGuard
redirect_children    10

#####################################################################
#       Kaspersky AV
#####################################################################

icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
acl acl_kav_GET method GET
icap_class ic_kav_req is_kav_req
icap_class ic_kav_resp is_kav_resp
icap_access ic_kav_resp allow all
icap_access ic_kav_req allow all !acl_kav_GET




SAMBA
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# global parameters
 [global]
        # ADS membership settings
        workgroup = DEV
        netbios name = PROXYDEV1
        realm = DEV.COM 
        server string = proxydev1.dev.com 
        security = ADS
        winbind trusted domains only = yes
        #winbind cache time = 600                           # tested samba auth caching, doesn't work for ntlm_auth
        #winbind offline logon = true                          #
        allow trusted domains = no
        use kerberos keytab = true

        # IdMap settings
        winbind use default domain = yes
        idmap domains = DEV
        idmap config DEV:backend = nss
        idmap config DEV:readonly = yes
        idmap config DEV:default = no

        # security settings
        encrypt passwords = yes
        lm announce = no
        client lanman auth = no
        client ntlmv2 auth = yes
        client plaintext auth = no
        client schannel = yes
        server schannel = yes
        server signing = Auto
        encrypt passwords = yes
        lanman auth = no
        ntlm auth = no
        min protocol = NT1
        max protocol = NT1
        show add printer wizard = no
        load printers = no


Thanks all!