Hello, Using Squid for 6 years now, quite happily. We have moved from ldap to AD authentication a few months ago. using : squid-2.7.STABLE7 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp external_acl_type ad_group children=30 %LOGIN /proxy1/libexec/wbinfo_group.pl ntlm_auth and wbinfo come from : samba-common-3.0.33-3.14.el5 (on rhel 5.4) We are suffering from a few problems : - when one of the 2 DC server fails, samba will not failover to the second DC server quickly enough for the users comfort. Has anyone faced the same problem ? ( we have no SRV records ) The solution relies entirely on samba config + dns failovers, so I'm not hoping for a solution on this mailing list. Just other users feedback. - As a workaround, I would like to increase the value of the authenticate-ip-shortcircuit-ttl parameter. It is currently at 300 seconds, I would put it at 36000 seconds (10hours). So the NTLM authentication would really only happen once a working day. What would be the drawbacks ? Is such a value reasonable technically ? ( memory buffers will handle this correctly ?) - wbinfo has stopped working twice in two months. (I will tackle this topic with samba support). Again , anyone else seeing such behavior ? An excerpt of the cache log : Could not get groups for user dotdot 2010/04/28 23:47:39| AuthenticateNTLMHandleReply: Helper '0x96b4c90' crashed!. 2010/04/28 23:47:39| assertion failed: helper.c:332: "!srv->request" 2010/04/28 23:47:47| Starting Squid Cache version 2.7.STABLE7 for i686-pc-linux-gnu... Is this normal that SQuid should restart on such a problem ? (just wondering). Finally, would another authentication means to AD be more reliable ? Kerberos maybe ? Thanks Andrew
