Re: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
Henrik Nordstrom wrote: On ons, 2008-11-19 at 19:39 +0100, [EMAIL PROTECTED] wrote: auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. I mentioned authenticate_ttl as a general possibility to be looked at. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) something I tried last week to see if it could solve my problem. The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth indeed seems also working, if no valid credential 'cache access denied' otherwise goes to internet. as announced in my previous mails, I migrated all my proxies servers last night. this ran fine and the packages are running well. I updated access ntlm rule by removing 'all' at the end of the line but this does not chnage anything except it happened at most 37 times on one of of the proxies. I got this more than 100 times a day before. so can I still try something else ? does it change the internal squid behaviour by removing all ?? Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
On ons, 2008-11-19 at 19:39 +0100, [EMAIL PROTECTED] wrote: auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. okay but I already get 128 ntlm_auth processes running .. is this enough for a load of 250 req/sec ?? on the other hand, and this is also the meaning of this conversation, it seems this popup box not always come with some load issues but can happen for other reasons I totally ignore .. and the way to troubleshoot this really ? Regards Henrik - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
On ons, 2008-11-19 at 20:29 +0100, [EMAIL PROTECTED] wrote: okay but I already get 128 ntlm_auth processes running .. is this enough for a load of 250 req/sec ?? Can't say. Do you get any relevant warnings in cache.log? And what does cachemgr say about the helper usage? on the other hand, and this is also the meaning of this conversation, it seems this popup box not always come with some load issues but can happen for other reasons I totally ignore .. and the way to troubleshoot this really ? wireshark is a good tool for troubleshooting these issues, combined with increased logging in Squid. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) something I tried last week to see if it could solve my problem. The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth indeed seems also working, if no valid credential 'cache access denied' otherwise goes to internet. does it change the internal squid behaviour by removing all ?? Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? For the access controls there are a number of ways they can trigger authentication popups. %LOGIN passed to external helper, proxy_auth REQUIRED acl, and an auth ACL being last on an http_access line. if I good understand you get requested config line above .. Also, interception setups hacked with bad flags to (wrongly) permit auth can appear working but cause popups on every object request and also leak clients credentials to all remote sites that use auth. what kind of interception are you speaking about ?? Amos - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
Re: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
[EMAIL PROTECTED] wrote: hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. --- samba-3.0.32.orig/source/include/local.h2008-08-25 23:09:21.0 +0200 +++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000 +0200 @@ -222,7 +222,7 @@ #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) /* Max number of simultaneous winbindd socket connections. */ -#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 +#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024 /* Buffer size to use when printing backtraces */ #define BACKTRACE_STACK_SIZE 64 I currently do not use 'auth_param ntlm keep_alive on' because I do not know if it will not cause some side effects for web browser used in our company (ie/windows xp sp2). I already use some parameters today like these ones below ... set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set rlim_fd_max=8192 arp_cleanup_interval=6 ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip6_forward_src_routed=0 ip_ignore_redirect=1 ip6_ignore_redirect=1 ip_ire_flush_interval=6 ip_ire_arp_interval=6 ip_respond_to_address_mask_broadcast=0 ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 ip_respond_to_timestamp=0 ip_respond_to_timestamp_broadcast=0 ip_send_redirects=0 ip6_send_redirects=0 ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 ip_def_ttl=255 tcp_conn_req_max_q0=4096 tcp_conn_req_max_q=1024 tcp_rev_src_routes=0 tcp_extra_priv_ports_add=6112 udp_extra_priv_ports_add= tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 after some investigations on my servers, I notice we often get lots of connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of connections in status ESTABLISHED. If I have a look on squid statistics these are some files giving an idea on the load handled by our machines .. SUNW,Sun-Fire-V210 2048 Memory size bge0 100-fdx (or) 1000-fdx client_http.requests = 242/sec server.http.requests = 163/sec Number of clients accessing cache: 1486 cpu_usage = 45.065136% /dev/dsk/c0t0d0s520655529 15015444 5433530 74% /var/cache0 /dev/dsk/c0t1d0s520655529 14971972 5477002 74% /var/cache1 1746418 Store Entries (some) 1265 ESTABLISHED tcp connections (at high load) (some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections so these servers are relatively heavy loaded and this is the reason why I think I still can tune some tcp/udp values in order to optimize and reduce the cpu usage on my servers. I already found some ideas on the net like these values below but this is not guraranteed .. ndd -set /dev/tcp tcp_time_wait_interval 6 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500 ndd -set /dev/tcp tcp_keepalive_interval 15000 many thks to help me because we are really in trouble and I am sure we can solve these little problems by setting/tuning some parameters. I made some further investigations and found maybe some relevant issues .. * first of all, seems the tcp queues are not large enough with some 173201 dropped connections # netstat -sP tcp | fgrep -i listendrop tcpListenDrop =173201 tcpListenDropQ0 = 0 * seems we do not get any connection problems with our servers and l2 switches ... only 280 input errors on 583 days uptime. # netstat -i Name Mtu Net/Dest AddressIpkts Ierrs Opkts Oerrs Collis Queue lo0 8232 loopback localhost 251726967 0 251726967 0 0 0 bge0 1500 sbepskcv sbepskcv 1607581016 280 1645158342 0 0 0 bge1 1500 sbepskcv-bge1 sbepskcv-bge1 2920250 3355944 0 0 0 * seems we can optimize a bit tcp time-to-live connections because I see hundreds connections in status CLOSE_WAIT FIN_WAIT_2 TIME_WAIT * this is a command I see on the net but to be honnest I do not understand the output of such a command # netstat -k inode_cache inode_cache: size 157855 maxsize 128252 hits 573916370 misses
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. For the access controls there are a number of ways they can trigger authentication popups. %LOGIN passed to external helper, proxy_auth REQUIRED acl, and an auth ACL being last on an http_access line. Also, interception setups hacked with bad flags to (wrongly) permit auth can appear working but cause popups on every object request and also leak clients credentials to all remote sites that use auth. Amos
[squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. --- samba-3.0.32.orig/source/include/local.h2008-08-25 23:09:21.0 +0200 +++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000 +0200 @@ -222,7 +222,7 @@ #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) /* Max number of simultaneous winbindd socket connections. */ -#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 +#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024 /* Buffer size to use when printing backtraces */ #define BACKTRACE_STACK_SIZE 64 I currently do not use 'auth_param ntlm keep_alive on' because I do not know if it will not cause some side effects for web browser used in our company (ie/windows xp sp2). I already use some parameters today like these ones below ... set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set rlim_fd_max=8192 arp_cleanup_interval=6 ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip6_forward_src_routed=0 ip_ignore_redirect=1 ip6_ignore_redirect=1 ip_ire_flush_interval=6 ip_ire_arp_interval=6 ip_respond_to_address_mask_broadcast=0 ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 ip_respond_to_timestamp=0 ip_respond_to_timestamp_broadcast=0 ip_send_redirects=0 ip6_send_redirects=0 ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 ip_def_ttl=255 tcp_conn_req_max_q0=4096 tcp_conn_req_max_q=1024 tcp_rev_src_routes=0 tcp_extra_priv_ports_add=6112 udp_extra_priv_ports_add= tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 after some investigations on my servers, I notice we often get lots of connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of connections in status ESTABLISHED. If I have a look on squid statistics these are some files giving an idea on the load handled by our machines .. SUNW,Sun-Fire-V210 2048 Memory size bge0 100-fdx (or) 1000-fdx client_http.requests = 242/sec server.http.requests = 163/sec Number of clients accessing cache: 1486 cpu_usage = 45.065136% /dev/dsk/c0t0d0s520655529 15015444 5433530 74% /var/cache0 /dev/dsk/c0t1d0s520655529 14971972 5477002 74% /var/cache1 1746418 Store Entries (some) 1265 ESTABLISHED tcp connections (at high load) (some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections so these servers are relatively heavy loaded and this is the reason why I think I still can tune some tcp/udp values in order to optimize and reduce the cpu usage on my servers. I already found some ideas on the net like these values below but this is not guraranteed .. ndd -set /dev/tcp tcp_time_wait_interval 6 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500 ndd -set /dev/tcp tcp_keepalive_interval 15000 many thks to help me because we are really in trouble and I am sure we can solve these little problems by setting/tuning some parameters. vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
Re: [squid-users] NTLM auth popup boxes
Hello all, something I wanted to add to this thread which I thought may have something to do with the problem is the following I'm consistently seeing in my squid cache log... [2008/01/18 12:16:28, 1] libsmb/ntlmssp.c:ntlmssp_update(259) got NTLMSSP command 3, expected 1 [2008/01/18 12:18:07, 1] libsmb/ntlmssp.c:ntlmssp_update(259) got NTLMSSP command 3, expected 1 [2008/01/18 12:19:05, 1] libsmb/ntlmssp.c:ntlmssp_update(259) got NTLMSSP command 3, expected 1 [2008/01/18 12:19:20, 1] libsmb/ntlmssp.c:ntlmssp_update(259) got NTLMSSP command 3, expected 1 Would that be the cause of my auth popup boxes in browsers? If so, is this fixable yet? I ran across this thread while searching for those errors... http://www.squid-cache.org/mail-archive/squid-users/200606/0362.html Kind regards, Elvar Amos Jeffries wrote: Adrian Chadd wrote: On Sat, Nov 03, 2007, Elvar wrote: Hello all, I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is Please upgrade to STABLE17. There is a security problem in earlier releases. configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at back from lunch enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian Well, I've set up squid-rrd now on two different boxes at two different locations to monitor performance and it doesn't appear that Squid is being overworked. Is there a way to possibly increase the TTL for queries against Active Directory? I've been battling with this problem for months now and cannot for the life of me figure out what's causing the problem. Thanks, Elvar squid.conf listed below Kind regards Elvar Begin squid.conf acl localnet src 192.168.0.0/16 http_port 192.168.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid #cache_log none cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 auth_param ntlm children 150 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 5 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param basic children 5 #auth_param basic realm WT #auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com http_access allow windowsupdate localnet ## acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port
Re: [squid-users] NTLM auth popup boxes
Adrian Chadd wrote: On Sat, Nov 03, 2007, Elvar wrote: Hello all, I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at back from lunch enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian Well, I've set up squid-rrd now on two different boxes at two different locations to monitor performance and it doesn't appear that Squid is being overworked. Is there a way to possibly increase the TTL for queries against Active Directory? I've been battling with this problem for months now and cannot for the life of me figure out what's causing the problem. Thanks, Elvar squid.conf listed below Kind regards Elvar Begin squid.conf acl localnet src 192.168.0.0/16 http_port 192.168.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid #cache_log none cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 auth_param ntlm children 150 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 5 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param basic children 5 #auth_param basic realm WT #auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com http_access allow windowsupdate localnet ## acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl AuthorizedUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname example.com logfile_rotate 20 coredump_dir /usr/local/squid/cache # End squid.conf
Re: [squid-users] NTLM auth popup boxes
On Tue, Dec 18, 2007, Elvar wrote: Well, I've set up squid-rrd now on two different boxes at two different locations to monitor performance and it doesn't appear that Squid is being overworked. Is there a way to possibly increase the TTL for queries against Active Directory? I've been battling with this problem for months now and cannot for the life of me figure out what's causing the problem. The only way is to increase the number of ntlm authentication helpers that you're running; but hm, you're using 150 ntlm authentication helpers. There's a page in cachemgr - again, I forget its name - which gives you the authenticator statistics (helper status, queue length, etc.) Hm, if you file a bugzilla request I could come up with a way of getting access to the queue statistics. There's a project on http://devel.squid-cache.org/ - the auth ip cache project, I forget its exact name right now - but it'll help quite a bit. It breaks if you need to use cache peers as it caches the results for each client IP address. Hm, I think I know how to fix that too, somewhat. (Henrik, what about using ACLs to mark which clients can have their auth info cached?) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] NTLM auth popup boxes
Adrian Chadd wrote: On Sat, Nov 03, 2007, Elvar wrote: Hello all, I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is Please upgrade to STABLE17. There is a security problem in earlier releases. configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at back from lunch enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian Well, I've set up squid-rrd now on two different boxes at two different locations to monitor performance and it doesn't appear that Squid is being overworked. Is there a way to possibly increase the TTL for queries against Active Directory? I've been battling with this problem for months now and cannot for the life of me figure out what's causing the problem. Thanks, Elvar squid.conf listed below Kind regards Elvar Begin squid.conf acl localnet src 192.168.0.0/16 http_port 192.168.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid #cache_log none cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 auth_param ntlm children 150 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 5 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param basic children 5 #auth_param basic realm WT #auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com http_access allow windowsupdate localnet ## acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl AuthorizedUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers Ah, here is part of the problem. Using this 'all' hack to silence the login box it needs 'all' to be at the very end of the line. Otherwse all has no meaning there. http_access allow AuthorizedUsers all http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname example.com logfile_rotate 20 coredump_dir
Re: [squid-users] NTLM auth popup boxes
Adrian Chadd wrote: On Sat, Nov 03, 2007, Elvar wrote: Hello all, I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at back from lunch enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian Hi Adrian, Based on your suggestion to try and monitor how busy Squid is I followed the directions at http://www.squid-cache.org/~wessels/squid-rrd/ to produce some graphs. Have you by chanced played with this monitoring setup? I have the graphs displaying but no actual data inside the graphs. Regards, Elvar squid.conf listed below Kind regards Elvar Begin squid.conf acl localnet src 192.168.0.0/16 http_port 192.168.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid #cache_log none cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 auth_param ntlm children 150 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 5 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param basic children 5 #auth_param basic realm WT #auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com http_access allow windowsupdate localnet ## acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl AuthorizedUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname example.com logfile_rotate 20 coredump_dir /usr/local/squid/cache # End squid.conf
Re: [squid-users] NTLM auth popup boxes
On Thu, Dec 13, 2007, Elvar wrote: Based on your suggestion to try and monitor how busy Squid is I followed the directions at http://www.squid-cache.org/~wessels/squid-rrd/ to produce some graphs. Have you by chanced played with this monitoring setup? I have the graphs displaying but no actual data inside the graphs. I haven't played with Duane's RRD stuff. Have you run create.sh and setup poll.pl to run every 5 minutes? -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Re: [squid-users] NTLM auth popup boxes
Adrian Chadd wrote: On Thu, Dec 13, 2007, Elvar wrote: Based on your suggestion to try and monitor how busy Squid is I followed the directions at http://www.squid-cache.org/~wessels/squid-rrd/ to produce some graphs. Have you by chanced played with this monitoring setup? I have the graphs displaying but no actual data inside the graphs. I haven't played with Duane's RRD stuff. Have you run create.sh and setup poll.pl to run every 5 minutes? I finally got it working. Turns out it was an access denied issue to the cache itself. I must admit, those are some pretty nice graphs. Let's hope this helps me with finding the overall issue causing those darn popup boxes. The users are pretty frustrated... :) Thanks, Elvar
Re: [squid-users] NTLM auth popup boxes
On Sat, Nov 03, 2007, Elvar wrote: Hello all, I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at back from lunch enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian squid.conf listed below Kind regards Elvar Begin squid.conf acl localnet src 192.168.0.0/16 http_port 192.168.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid #cache_log none cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 auth_param ntlm children 150 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 5 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param basic children 5 #auth_param basic realm WT #auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com http_access allow windowsupdate localnet ## acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl AuthorizedUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname example.com logfile_rotate 20 coredump_dir /usr/local/squid/cache # End squid.conf -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] NTLM auth popup boxes
Adrian Chadd wrote: On Sat, Nov 03, 2007, Elvar wrote: Hello all, I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is configured to authenticate users to the Active Directory database via the NTLM plugin. The problem I'm having is that approximately every other day or sometimes sooner or sometime longer, users start getting a popup box asking for auth credentials. Normally this is not the case as it's handled automatically in the background. I'm forced to restart the squid proxy server to resolve this. One thing I notice is that every time it happens the number of squid child processes is greater than the number listed in squid.conf. Currently I'm set at 'auth_param ntlm children 150'. I'm not sure what is causing this login popup box but it's really upsetting my users and I need to figure out a solution. Has anyone else experienced this? Any have any suggestions? A couple of possibilities: * Samba can't keep up with your request rate * Squid is blocking and missing out on processing the NTLM authentication results I suggest a few things: * How busy is the cache? Do you have graphs? If not, compile with snmp support and start graphing whatever you can * Look at your load and see if you're better off with aufs than ufs; aufs won't block (as much!) and should free Squid up to handle the helper replies quicker; * I've seen this happen at back from lunch enterprise situations where a few hundred people come back and fire up their browsers at the same time, overloading the NTLM authentication mechanism. Henrik's authentication IP caching patch (ntlm_ip_cache? I forget now) seems to do the trick but it comes with certain use restrictions. This depends on how busy your caches are; see point 1. Adrian Adrian, Thanks a bunch for the reply and suggestions! I will give this a go and see what I find. Kind regards, Elvar squid.conf listed below Kind regards Elvar Begin squid.conf acl localnet src 192.168.0.0/16 http_port 192.168.0.1:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /usr/local/squid/cache 500 16 256 access_log /usr/local/squid/logs/access.log squid #cache_log none cache_log /usr/local/squid/logs/cache.log cache_store_log none emulate_httpd_log off log_mime_hdrs on check_hostnames off auth_param ntlm keep_alive on auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445 auth_param ntlm children 150 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 5 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param basic children 5 #auth_param basic realm WT #auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 ### Needed for Windows Update to work ### acl windowsupdate dstdomain .windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain .download.windowsupdate.com acl windowsupdate dstdomain .c.microsoft.com acl windowsupdate dstdomain .download.microsoft.com http_access allow windowsupdate localnet ## acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl AuthorizedUsers proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all AuthorizedUsers http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname example.com logfile_rotate 20 coredump_dir /usr/local/squid/cache # End squid.conf
