Re: [squid-users] howto interprete NTLM tcpdumb data

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 10 Oct 2001 08:56:00 +1000

----- Original Message -----
From: "Van Bossche Koen" <Koen.VanBossche@KONE.com>
To: "'Chemolli Francesco (USI)'" <ChemolliF@GruppoCredit.it>
Cc: <squid-users@squid-cache.org>
Sent: Tuesday, October 09, 2001 11:47 PM
Subject: RE: [squid-users] howto interprete NTLM tcpdumb data

> Thanks for the feedback!
> It's a pity because occasionally it works fine. Is there nothing to
tune on
> the NTLM - apart from the squid.conf file (maybe at the side of the NT
BDC
> or so)? I 'll try the ethereal.

Squid's current helper - NTLMSSP - uses one of the oldest MS calls in
existence. Unfortunately using this call does not allow any sort of
fault tolerance - all the issued challenges that haven't had the
handshake completed are invalidated when a communications or server
error occurs.

> I cannot write programs and neither have the time to practice and to
learn
> it. So I cannot add any throughput on this, however I highly admire
the work
> you all have brought to squid. Thx!
>
> BR/Koen
>
> > -----Original Message-----
> > From: Chemolli Francesco (USI) [mailto:ChemolliF@GruppoCredit.it]
> > Sent: 09 October 2001 15:37
> > To: 'Van Bossche Koen'; Squid-Users (E-mail)
> > Subject: RE: [squid-users] howto interprete NTLM tcpdumb data
> >
> >
> > > Hi all,
> > >
> > > I am running squidv2.5DEV with NTLM. I tuned my configuration.
> > > At this moment NTLM still keeps popping up his auth boxes
> > > regularly and my
> > > log mentions every minute Netbios Error 4 and Netbios Error 3
> > > codes. The
> > > logfile on the NT BDC (close to the proxy) was about 4Mb for
> > > only about 3
> > > hours.
> > >
> > > I have run 'tcpdumb host BDC'. Would anyone be so kind to
> > help me out
> > > analyzing this data (what it means) and telling me how I can
> > > get better
> > > performance of using NTLM. I really appreciate it.

There's not a low to be done. Those netbios error codes are all that you
will see with network sniffer :}. The only question is whether you have
a flakey LAN, a server objecting to the number of authentications, or an
overloaded and timingout server.

> > It's a semi-known problem, with no known solution. I'm planning
> > to write a new helper that uses domain membership rather than
> > SMB_SessSetupAndX to tackle the issue, but it will take time, which
> > right now I don't have..

The workaround we have in place today is the NTLM fail-open option, this
is a configure time option to squid and then a run-time option to the
helper. Using this option will let all inprogress-authentications
complete with OK when a DC communication error occurs. It lowers your
security, but by how much is argueable (squid only lets in-progress
handshakes complete, not just _any_ attempt).

Rob
Received on Tue Oct 09 2001 - 16:53:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:39 MST