On Tue, 1 Nov 2011 11:53:34 +0200, Oguz Yilmaz wrote:
Hi,
We use NLTM Authentication with Squid is some setups.On hose setup
local machine joins active directory and squid ntlm_auth helper
authenticate through local samba service. Users transparently
authenticate through NTLM authentication handshake on HTTP without
entering any password in their browser.
However, in some cases, branch offices has no local active directory
copy. Branch office is connected to the headquarters through a IPSEC
vpn. I can join the branch office samba to the headquarter active
directory domain and set NTLM authentication on Squid up correctly.
This setup has a weakness inherited from high latency, packet loss of
some other things that I dont know about samba. 3-4 times in a day
users get prompted with user name password authentication popup on
their browser. Sometimes this recovered naturally in a few minutes.
However, it requires rejoining to the domain in come cases. (wbinfo
-t
gives error and wbinfo -l can not list users).
I have made some tunings in samba:
getwd cache = yes
winbind cache time = 3000
ldap connection timeout = 10
ldap timeout = 120
This decreased error rate to 1 per day.
Which other tunings can I do on samba and squid? I need your
experiences.
Firstly, the validation lag is internal to the authentication system.
Which consists of the helper and everything it does and uses. There is
nothing squid can do about the auth systems internal lag. As indicated
by the fact that tweaking samba resolved a lot of the problem.
There are a few workarounds to avoid doing the validations by Squid
though.
Firstly and most preferred is to move to Negotiate/Kerberos
authentication. It is more than twice as efficient as NTLM and offers
modern security algorithms for much higher security.
NTLM authentication handshake is done once per TCP connection, and
applies only to that connection. So credentials can only be "cached" for
as long as that TCP connection is active/persisting.
Which should indicate what the fix is:
Get persistent connections to the clients staying up as long as
possible. At present that means you need the latest HTTP/1.1 supporting
Squid to maximize the keep-alive feature compliance. I recommend 3.2.0.8
if you are able, otherwise the latest 3.1 series, or 2.7.STABLE9 (in
that order of preference). Avoid 3.0, 2.6 and older Squid series.
Best Regards,
squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off
keep-alive ON.
Also check:
client_persistent_connections ON
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid AD Auth
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Basic is checked done once per request, with credentialsttl being how
often the backend gets checked for updates to the yes/no answer. You may
be able to extend the credentialsttl longer for less backend checks.
Impact of this tweak depends on how much of the client software is
fialing to support NTLM and choosing Basic though.
Amos
