On 21/08/2016 1:34 a.m., David Webb wrote: > > I'm currently using the binary version of squid provided by yum with > RHEL 7.2 (3.3.8) with Samba 4's winbind ntlm_auth to authenticate > against AD which is working fine > > auth_param negotiate program /usr/bin/ntlm_auth > --helper-protocol=gss-spnego > auth_param negotiate children 250 startup=2 idle=1 > auth_param negotiate keep_alive off > # > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 250 startup=2 idle=1 > auth_param ntlm keep_alive off > # > > However I'm wondering if I can reduce the number of ntlm_auth processes > created by introducing some concurrency. > > I've seen mention of helper-mux.pl but from what I've seen on the web > I'm not sure if this will work with negotiate and ntlm. > Also it looks like in the future with Squid 4 helper-mux.pl is being > retired. Should not be. The use cases and need for it still exists. The way it works needs to be completely different for the new ID numbering scheme is all. So the Squid-3 version of the helper is not forward-compatible. The Squid-4 helper should work** in any Squid version still. If its not working that is a bug in Squid-4 we want to hear about. ** except on Logging, pinger, NTLM and Negotiate helper interfaces. > I've also seen some mention of Samba 4 building in some concurrency > itself into ntlm_auth but I'm not sure that this is fully supported. > > So my question is what is the current state of play for squid 3.x (and > upcoming squid 4) with respect to negotiate and ntlm concurrency with > samba4 ? Squid does not support concurrency in the NTLM and Negotiate helper API lookups. The helpers apparently do, but Squid wont do it. Not even enough to experiment with yet. NTLM has been deprecated for 10 years now (as of this month IIRC). You should really not have many (or any) Windows 95/98/2k clients needing to use it. Yes, even XP supports Kerberos. The only way to reduce load with NTLM is to enable persistent HTTP connections to clients (and servers where possible) - unrelated to that "keep_alive off" setting. The more requests your clients can make on a single connection without having to re-authenticate from scratch the better. This also helps with Kerberos auth load as they upgrade. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
