Jason Haar wrote:
Elvar wrote:
Yes, Squid comes with it's own NTLM AUTH mechanism but it does not
support the --require-membership option which allows me to force
users to be a part of a specific "internet access" group. That's why
I'm using winbindd.
This isn't the trusted domain issue that showed up about a month ago
is it? i.e do you have trusted domains where their domain controllers
are some distance away over a WAN link?
You don't mention it explicitly, but I'm guessing you're using NTLM
proxy authentication? As such it means Squid (and winbind for that
matter) cannot cache any of the authentication requests - they all
must go through to the backend domain controllers. And if they are
remote (ie high latency compared with LAN-connected DCs), Squid and
winbind will spend more and more resources tracking outstanding
authentication requests. e.g. a single Web page may contain 10+ images
- that's 11 auth attempts - and with NTLM that means 33 HTTP
transactions - for one Web page! If you have just a handful of users
from remote domains, they will swallow a disproportionate amount of
your authentication resources. There's a bit of HTTP/1.1 Keepalive
reuse that speeds things up - but effectively it's a cow.
If you can stomach the lack of encryption, go back to Basic proxy
authentication - squid can cache the hell out of that! I bet you'll
find all your problems disappear.
I meant to respond to this a long time ago and I'm sorry for the delay.
Yes, I'm using NTLM to authenticate the users to Active Directory
requiring specific group membership. If the users don't belong to group
"Internet Access" they are denied out. I can stomach the lack of
encryption, but with basic proxy auth can they still authenticate to AD?
Kind regards,
Elvar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
