On 24/03/11 22:56, Francisco José Márquez Gómez wrote:
Hi friends,

I'm suffering a speed problem when I use NTLM for auth users. If I use
basic auth, all work fine and webpages load almost instantaneous, but
when I enable NTLM, same webpages can took 10-30seconds to load it....


NTLM is designed to take 2x the HTTP traffic just to authenticate.
With older Squid such as yours the connections are often closed very fast and every re-open has to re-authenticate from scratch. Turning persistent connections ON can reduce the load a bit. This is not perfect in older squid, just a reduction.

I've found some similar cases, but nobody know a solution:
---------------------------------------------------------------------------------

http://www.linuxforums.org/forum/servers/165500-squid-very-slow-using-ntlm.html

http://readlist.com/lists/squid-cache.org/squid-users/7/35240.html


Those read like people noticing the 2x traffic waste.


I've used this guide for setup my server:
-----------------------------------------------------
http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5

My unique changes over squid.conf are this:
--------------------------------------------------------------

cache_effective_group wbpriv

Setting "cache_effective_group" causes problems with winbind.

In order for Squid and winbind to operate well together this directive must be not-set.

I see that this is a RHEL package. RHEL patch the cache_effective_group setting to always have a value. Which prevents your OS security from assigning a proxy group for web access AND a winbind_priv group for winbind access.
 SOLUTION: self-build a squid without that RHEL patch.

Then on the command line add the Squid low-privilege user to the winbind privileges group. Details are here:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions

(mind the wrap)


auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl chglan src 10.31.32.0/24

acl ntlm proxy_auth REQUIRED
http_access allow chglan ntlm
-----------------------------------------------------------------


That config looks fine.

and as say the previous mentioned guide, I launch authconfig for setup
winbind and samba.

Somebody can help me?? Is mandatory for me can remove the stupid
authentication popup wich show all browser for proxy authentication.

Removing the popup is not possible. As you have seen even NTLM can do popups. This is because the popup is a browser feature to fetch credentials when it cannot find any working local ones. "Single sign-on" works for any auth method. It only requires that the browser have access to the credentials.

That said the popups are seen with NTLM due to:
 1) the browser cannot retrieve NTLM login credentials from the system.
2) the credentials the system gave the browser cannot be validated by Squid.
 3) some older squid had bugs which would reject good credentials (rare)

winbind privilege problems is a likely reason for (2). That wiki page I referenced has a section on testing the setup. Try all that to see if you can confirm the problem cause.

incorrect client system configuration is the reason for (1).

(3) is relatively rare. But could be noticed particularly if many requests were opened simultaneously. Since it bites on double-auth while squid is waiting for an auth response.


Prior to squid, we were using MS ISA server and now, users are
constantly crying because his browsers shows authentication popups each
time they open it...

This behaviour (*one* popup on a new browser session) indicates that the users OS is not giving their browser their current machine login to use for accessing the proxy. (1) above.


FWIW;
Microsoft wrote both NTLM specs and ISA proxy. Other software is still trying to catch up and cope with their designs. We mostly have the browser behaviour as a known thing. There are still issues with things that non-browser Microsoft software do when talking to proxies.

To have a closely comparable Squid vs ISA experience you will need Squid-3.1.10 or later.


HTH
Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5

Reply via email to