Hi,
We use NLTM Authentication with Squid is some setups.On hose setup
local machine joins active directory and squid ntlm_auth helper
authenticate through local samba service. Users transparently
authenticate through NTLM authentication handshake on HTTP without
entering any password in their browser.
However, in some cases, branch offices has no local active directory
copy. Branch office is connected to the headquarters through a IPSEC
vpn. I can join the branch office samba to the headquarter active
directory domain and set NTLM authentication on Squid up correctly.
This setup has a weakness inherited from high latency, packet loss of
some other things that I dont know about samba. 3-4 times in a day
users get prompted with user name password authentication popup on
their browser. Sometimes this recovered naturally in a few minutes.
However, it requires rejoining to the domain in come cases. (wbinfo -t
gives error and wbinfo -l can not list users).
I have made some tunings in samba:
getwd cache = yes
winbind cache time = 3000
ldap connection timeout = 10
ldap timeout = 120
This decreased error rate to 1 per day.
Which other tunings can I do on samba and squid? I need your experiences.
Best Regards,
squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid AD Auth
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
/etc/samba/smb.conf:
[global]
netbios name = SQUID
realm = MY.DOM
workgroup = my.dom
security = ads
encrypt passwords = yes
password server = 172.16.5.10
log level = 3
log file = /var/log/samba.log
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
domain master = no
local master = no
preferred master = no
template shell = /sbin/nologin
getwd cache = yes
winbind cache time = 3000
ldap connection timeout = 10
ldap timeout = 120
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.DOM
default_tkt_enctypes = rc4-hmac des-cbc-crc
default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MY.DOM = {
kdc = 172.16.5.10
admin_server = 172.16.5.10
default_domain = MY.DOM
}
[domain_realm]
.ronesans.hol = MY.DOM
ronesans.hol = MY.DOM
--
Oguz YILMAZ
