On 20/04/11 01:20, Go Wow wrote:
I'm completely noob in this. How do I set the below setting?
Ensure that persistent connections are ON to clients (default in 3.1).
That will have the biggest impact.
In 3.0 and older:
client_persistent_connections on
In 3.1 ensure that the directive is not set anywhere in squid.conf.
On 19 April 2011 17:17, Amos Jeffries wrote:
On 20/04/11 01:04, Go Wow wrote:
I have seen the increasing the number of auth children decreases the
error in cache.log. What is the optimal amount of children that we
should use, supposing squid is serving 500 users.
I will try your suggestions and inform you.
Hmm, that sounds like it may actually be NTLM, but failing some other way.
Number of auth children has a max of 256 connections to the DC. Each child
will consume one.
If you have much RAM used by Squid there are also sometimes limits to how
many children it can spawn/fork before you get out-of-memory problems.
Ensure that persistent connections are ON to clients (default in 3.1). That
will have the biggest impact.
Regards
On 19 April 2011 16:50, Amos Jeffries wrote:
On 19/04/11 23:54, Go Wow wrote:
Hi,
I meant 3.1.11
How do I check which user-agent is giving this issue? As I told 70%
people use IE here (different versions) some use IE 8, IE 7 and IE 6.
20-25% use firefox 3.6 or firefox 4 and rest use google chrome.
It may be in your logs as a client which gets a lot of NTLM denials.
If not, adding a log to record which agents are failing is easy:
logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h"
(mind the wrap that is one line)
acl failedAuth http_status 407
access_log /some/file.log agentTokens failedAuth
This logs the auth tokens and user-agents sending them. One of the tokens
should appear in cache.log next to the error message.
Can you please point me to some doc to use that negotiate wrapper. I
tried squid_kerb_auth and failed miserably and I'm not planning to go
near it until my squid is stable.
I have made a GPO for all users to use NTML as preferred auth method,
let's see if that makes a difference. I did it by adding
"LmCompatibilityLevel" to "1" in registry.
"1" is not a good value for that. Probably "4" is what you need. "5" if
possible.
see this for what each level apparently means:
http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx
It seems to be an old article, so things may have changed a little. I'm
not
sure how Kerberos integrates with those for example in IE 7/8.
Cheers
On 19 April 2011 14:08, Amos Jeffries wrote:
On 19/04/11 20:09, Go Wow wrote:
Hi,
I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
You mean 3.1.1? we are only up to 3.2 series so far.
have these entries at random times. I know that the client is sending
a kerberos reply instead of NTLM auth. I want to know whether
something can be done about this or not.
libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected
1
I tried moving to Kerberos but it didnt work for me. My client envirno
is IE 8, Chrome and Firefox 3.6 or 4
For the record which User-Agent is broken and sending Kerberos when
offered
NTLM? and are you offering Negotiate?
The new negotiate_wrapper helper from Markus Moeller may help. We have
tested it of use in "auth_param negotiate", but I'm not sure of the
effect
if its used in "auth_param ntlm".
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
