On Tue, 04 May 2010 17:45:44 +0200, apmailist@xxxxxxx wrote: > Hello, > > Using Squid for 6 years now, quite happily. > We have moved from ldap to AD authentication a few months ago. > using : > squid-2.7.STABLE7 > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > external_acl_type ad_group children=30 %LOGIN > /proxy1/libexec/wbinfo_group.pl > ntlm_auth and wbinfo come from : samba-common-3.0.33-3.14.el5 (on rhel 5.4) > > We are suffering from a few problems : > - when one of the 2 DC server fails, samba will not failover to the second > DC server quickly enough for the users comfort. Has anyone faced the same > problem ? ( we have no SRV records ) > The solution relies entirely on samba config + dns failovers, so I'm not > hoping > for a solution on this mailing list. Just other users feedback. > > - As a workaround, I would like to increase the value of the > authenticate-ip-shortcircuit-ttl parameter. It is currently at 300 > seconds, I > would put it at 36000 seconds (10hours). So the NTLM authentication would > really > only happen > once a working day. > What would be the drawbacks ? Is such a value reasonable technically ? ( > memory > buffers will handle this correctly ?) It's a controlled security breach. You are effectively setting that the IP address (from any machine) is to be assumed as logged in with the initial users credentials. This assumption remains active until the end of the timeout, whether the user has logged off and another sat down at the machine, or whether they machine is turned off and another has been assigned the DHCP lease. Personally, given the choice I'd remove the option entirely from Squid. It only exists to buffer problems caused by the design of NTLM. > > - wbinfo has stopped working twice in two months. (I will tackle this > topic with > samba support). > Again , anyone else seeing such behavior ? > An excerpt of the cache log : > Could not get groups for user dotdot > 2010/04/28 23:47:39| AuthenticateNTLMHandleReply: Helper '0x96b4c90' > crashed!. > 2010/04/28 23:47:39| assertion failed: helper.c:332: "!srv->request" > 2010/04/28 23:47:47| Starting Squid Cache version 2.7.STABLE7 for > i686-pc-linux-gnu... > Is this normal that SQuid should restart on such a problem ? (just > wondering). Restart kills all stored authentication credentials and makes Squid re-check all requests with the backend. NTLM requires several handshake HTTP requests to go through for a backend check. This means Squid has to reject the given end-process NTLM tokens and fetch new initial tokens from the browser after a restart. The NTLM backend is also known for its low limit on parallel connections processed which compounds this type of issue. > > Finally, would another authentication means to AD be more reliable ? > Kerberos > maybe ? Yes. Kerberos uses a stronger encryption type and does away with most of the handshake portion of NTLM. So Squid able to do a less intrusive re-check of the tokens after a restart or reconfigure. Also the backends so fas as I know have not had the same connection limits reported that NTLM suffers from. Additionally, NTLM has been officially deprecated by Microsoft along with Windows XP and not supported by their Windows 7 and later software. Kerberos is the model they are moving to. Amos
