Hi,
At 14:40 19/02/2008, Richard Wall wrote:
First problem is that you have to reinterpret the Squid reported hit
ratios when using NTLM auth. Only half of these are hits, the other
half being TCP_DENIED/407 that form part of the NTLM auth negotiation.
This is caused by the NTLM over HTTP authentication sequence, look
here for details:
http://davenport.sourceforge.net/ntlm.html
Second problem is that the majority of requests seem to result in auth
requests to the DC. There is an article describing Win2003 performance
counters showing Number of auth requests / sec, but those counters
don't seem to exist on my copy.
* http://support.microsoft.com/kb/928576
Correct, you should request the hotfix to Microsoft.
Instead I used the difference in a minute of the total number of
security events (as shown in the titel bar of the windows event
viewer.
* ~127 successful auth events per second
...which is about the same as the client_http.hits reported by squid.
I have the following setting defined in smb.conf:
* winbind cache time = 10
...which clearly isn't being respected.
* Does anyone else see this behaviour or have you managed to get auth
requests cached by winbindd?
* Can winbindd even do caching of auth reqests or is it only
concerned with caching other domain data?
What Samba version do you are using ?
I remember that in Samba 3.0.25 there was big changes into winbindd
regarding off-line logon support, but I don't know if this could help.
Another question, what type of NTLM authentication is supported by curl ?
Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details)
There are big difference between the security level and on the
performance impact, and currently all browsers automatically use
always the NTLMv2 type.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/
