Re: Status on NTLM in Squid3? from Andrew Bartlett on 2004-11-04 (squid-dev)

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Fri, 05 Nov 2004 15:33:49 +1100

On Mon, 2004-11-01 at 01:29, Henrik Nordstrom wrote:
> On Sat, 30 Oct 2004, Andrew Bartlett wrote:
>
> > Actually, now I re-read this, I think know what you you mean:
> >
> > 0 YR ........
> > 1 YR ......
> > 1 TT #########
> > 1 KK ......
> >
> > Is there are 'shutdown' command?
>
> What you refer to by 'shutdown'?
>
> There is not yet any explicit command for "authentication session
> aborted", it simply resets on the next YR with the same session
> identifier. Not sure if this is needed.

This should not be hard to add later. In any case, I've implemented
this in Samba4's ntlm_auth, and I'll get it ported to Samba3 at some
point. I've also added support for Samba3 winbindd to Samba4's
ntlm_auth, so we can use the newer code with the old backend.

> Shutdown of the helper is on EOF as before. The only difference is
> that the helper should take care to respond to all pending requests before
> exiting if reordering is supported by the helper. If reordering is not
> supported by the helper then there won't be any pending requests when it
> detects EOF so nothing has really changed then on shutdown.

So, on EOF on the input, we should look at the outstanding requests (say
off at the DC, awaiting a response) and wait for them to complete before
shutting down the helper?

> This very simple scheme buys two things
>
> a) For stateful helpers it allows the same helper instance to maintain a
> large number of sessions. In case of NTLM it allows the same helper to
> have multiple pending challenges.

Simply avoiding all those processes will make this a big saving.

> b) In all helpers it allows batching of several operations, reducing the
> amount of context switching required.

So squid could well ask for 4 challenges, one after the other?

> c) It (optionally at the helpers discretion) allows for the helper to
> respond to the pending queries in any order it likes, allowing the same
> helper instance to continue processing queries while waiting for external
> lookups such as winbind / DNS / databases / whatever.

I'm going to work more on this area, particularly as the single-threaded
winbindd goes away.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

application/pgp-signature attachment: This is a digitally signed message part

Received on Thu Nov 04 2004 - 21:34:08 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST