Re: [squid-users] R: [squid-users] Problems authenticator on huge systems from Luis Daniel Lucio Quiroz on 2011-10-13 (squid-users)

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Thu, 13 Oct 2011 11:58:43 -0500

2011/10/13 Job <Job_at_colliniconsulting.it>:
> Hello Luis,
> nice reply, first of all, very very interesting...
>
> I noticed in 3.1.8 it seems i cannot place the credenstialttl directive, i can only - in the ntlm schema - insert this: auth_param ntlm keep_alive on.
>
> Is it right? I read it could give some incompatibility problems with IE.
>
> Are there some other parameters to put, in the ntlm schema, 5-minutes cache?
>
> Thank you again,
> Francesco
>
> ________________________________________
> Da: Luis Daniel Lucio Quiroz [luis.daniel.lucio_at_gmail.com]
> Inviato: giovedì 13 ottobre 2011 15.49
> A: frantz_at_itcserra.net
> Cc: squid-users_at_squid-cache.org
> Oggetto: Re: [squid-users] Problems authenticator on huge systems
>
> 2011/10/13 Francesco <frantz_at_itcserra.net>:
>> Hello,
>>
>> in a proxy server with some hunderds of users, i experience temporary
>> problems with ntlm authentication; Squid says access deny for some
>> minutes, then everything returns working without any actions.
>>
>> In cache.log i noticed these errors:
>> AuthNTLMUserRequest::authenticate: attempt to perform authentication
>> without a connection!
>>
>> I raised up the per-process max open files to 4096; do you think i am low
>> of authenticator process (200)?
>> Could it be this the problem?
>>
>> I have no cache on ntlm auth helper...
>>
>> Thank you,
>> Francesco
>>
>
> HELO Franchesco,
>
> My first toughts is you shall consider a ntlm cache, about 5 minutes.
> The fact is, that NTLM authentication does not work as basic
> authentication. I mean, in basic authentication, once the browser
> sends credentials, it always send credentials each time without
> requesting them again. In ntlm, as my understanding, it is quite
> different, browsers after a lapse of time will stop sending
> credentials (the hash). So a cache will really offload the samba/AD
> you are forwarding auth requests.
>
> Taking as a reference your message, and without other evidence, i
> guess problem is not between browser-squid, it could be
> squid-ad/samba.
>
> LD
> http://www.twitter.com/ldlq

Give a read here

http://www.squid-cache.org/Versions/v3/3.1/cfgman/authenticate_ttl.html

This may help you,

Please void to top-list, it is very hard to follow conversation.

LD
http://www.twitter.com/ldlq
Received on Thu Oct 13 2011 - 16:58:50 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 14 2011 - 12:00:03 MDT