On 31/01/11 18:44, Senthilkumar wrote:
Thank you .
We are using squid 3.1.8 with 100 children for ntlm scheme. We have
about 500 users and around 75 req/sec.
In the cache log rarely we see 100 pending ntlm requests and that time
squid reconfigures automatically.
Is it default behaviour of squid to reconfigure when ntlm are queued.?
No, reconfigure only happens when the administrator or some operating
system controls runs "squid -k reconfigure".
You may be seeing a crash and restart?
In the cache log we can see following errors also.
2011/01/31 10:59:02| AuthConfig::CreateAuthUser: Unsupported or
unconfigured/inactive proxy-auth scheme, 'Basic
bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw=='
2011/01/31 10:59:18| AuthConfig::CreateAuthUser: Unsupported or
unconfigured/inactive proxy-auth scheme, 'Basic
bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw=='
Normal message for a proxy without Basic auth configured when the client
send Basic credentials to it.
Squid is supposed to pause requests during the configure time. So why
this shows up is a problem that needs to be found.
Amos
Amos Jeffries wrote:
On Tue, 25 Jan 2011 19:25:33 +0530, Senthilkumar wrote:
Hi Amos,
I have followed the suggestions provided by you and if use deny
without "all" i am getting pop up when i access denied sites, it is
suppressed when i use all.
We use ntlm scheme to authenticate with domain users, all users can
authenticate without any prompt, while browsing out of 350 users only
5-6 users getting prompt rarely(around 2-3 times a day)
There is no specific website or time the prompt appears. Please
suggest some troubleshooting ideas and cause for it.
The cache.log does not show any errors
I'm not sure exactly which deny line you are describing as producing a
popup. The config below looks right. Where you deny based on group
lookups
the lines should end with "all", as you saw not having it there produces
the popup.
NTLM can suffer from a few issues on connections and some bugs in Squid.
Though both of these problems have been worked on and reduced in newer
releases.
If one of the "allow" group lookups is somehow failing this may produce a
popup.
I am not sure how one would check for these in production environment.
The
things to watch out for are the HTTP auth headers for the request before
during and after the prompt appears. Whether this is happening on a
connection while it stays up, or if the connection drops out on the
challenge. Whether it happened on a new connection using some non-NTLM
auth
(ie a Windows 7 machine trying an unexpected encryption, or some
background
application with the wrong keys).
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
