El 24/03/2011 14:45, Amos Jeffries escribió:
On 24/03/11 22:56, Francisco José Márquez Gómez wrote:
Hi friends,
I'm suffering a speed problem when I use NTLM for auth users. If I use
basic auth, all work fine and webpages load almost instantaneous, but
when I enable NTLM, same webpages can took 10-30seconds to load it....
NTLM is designed to take 2x the HTTP traffic just to authenticate.
With older Squid such as yours the connections are often closed very
fast and every re-open has to re-authenticate from scratch.
Turning persistent connections ON can reduce the load a bit. This is
not perfect in older squid, just a reduction.
Are you referring to the option "auth_param ntlm keep_alive on"? Does
this option work better in recent versions?
(...)
I've used this guide for setup my server:
-----------------------------------------------------
http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
My unique changes over squid.conf are this:
--------------------------------------------------------------
cache_effective_group wbpriv
Setting "cache_effective_group" causes problems with winbind.
In order for Squid and winbind to operate well together this
directive must be not-set.
I see that this is a RHEL package. RHEL patch the
cache_effective_group setting to always have a value. Which prevents
your OS security from assigning a proxy group for web access AND a
winbind_priv group for winbind access.
SOLUTION: self-build a squid without that RHEL patch.
Then on the command line add the Squid low-privilege user to the
winbind privileges group. Details are here:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
(mind the wrap)
I will try it. I had to setup a cache_effective_group because I was
having permission problem with pipe access and this was the unique
option that worked well. Maybe the RHEL patch was the cause.
(...)
Somebody can help me?? Is mandatory for me can remove the stupid
authentication popup wich show all browser for proxy authentication.
Removing the popup is not possible. As you have seen even NTLM can do
popups. This is because the popup is a browser feature to fetch
credentials when it cannot find any working local ones.
"Single sign-on" works for any auth method. It only requires that the
browser have access to the credentials.
That said the popups are seen with NTLM due to:
1) the browser cannot retrieve NTLM login credentials from the system.
2) the credentials the system gave the browser cannot be validated by
Squid.
3) some older squid had bugs which would reject good credentials (rare)
winbind privilege problems is a likely reason for (2). That wiki page
I referenced has a section on testing the setup. Try all that to see
if you can confirm the problem cause.
incorrect client system configuration is the reason for (1).
(3) is relatively rare. But could be noticed particularly if many
requests were opened simultaneously. Since it bites on double-auth
while squid is waiting for an auth response.
Yes, the popup is a browser feature to fetch credentials, but the unique
method I know for get "single sign-on" (contrary to what your said) is
use NTLM (as you say, exist some scenarios when it fail, but until now,
I haven't had those problems). My browsers (firefox or IE) always show
popup at first open if I use basic authentication in squid. I don't
understand why the browsers doesn't offer an option for save AND use
credential transparently in basic mode, but is thus and this is why I
want use NTLM.
The first popup when I open the browser is a minor problem. The problem
is that many times, web applications opens a new window or an applet
requires press the accept button of a new authentication popups.
This stupid scenario is caused by browsers, but I don't know any manner
for fix it different from implement NTLM.
Prior to squid, we were using MS ISA server and now, users are
constantly crying because his browsers shows authentication popups each
time they open it...
This behaviour (*one* popup on a new browser session) indicates that
the users OS is not giving their browser their current machine login
to use for accessing the proxy. (1) above.
This behaviour only happen when I use basic autentication in squid. And
if I check the box in browser for save credential, the popup is showed
with username and password wrote on it, I only need press enter, but the
problem is that the popup is showed. Is annoying. If I enable NTLM
doesn't happen, so I need use NTLM, but my problem is the speed.
FWIW;
Microsoft wrote both NTLM specs and ISA proxy. Other software is
still trying to catch up and cope with their designs. We mostly have
the browser behaviour as a known thing. There are still issues with
things that non-browser Microsoft software do when talking to proxies.
To have a closely comparable Squid vs ISA experience you will need
Squid-3.1.10 or later.
I will try it. Thank you.
