[squid-users] Squid 2.5.STABLE3 and ntlm and authentication popup

From: <daniel.jarboe@dont-contact.us>
Date: Tue, 1 Jul 2003 09:06:41 -0400

This is with Squid 2.5.STABLE3 and Samba 2.2.8a. NTLM authentication is
working for the most part, but every so often a user is prompted with a
basic password for some reason. After searching through the archives
here I increased logging for 33 (debug_options ALL,1 33,2).

I don't see any evidence of the client breaking the connection here in
cache.log:

2003/06/30 15:54:38| The request GET
http://www.marriott.com/shared/Images/headers/tab_rewards.gif is
ALLOWED, because it matched 'NTauth'
2003/06/30 15:54:38| The reply for GET
http://www.marriott.com/shared/Images/headers/tab_events_meetings.gif is
ALLOWED, because it matched 'all'
2003/06/30 15:54:38| The request GET
http://www.marriott.com/shared/Images/headers/tabRoll_find_reserve.gif
is ALLOWED, because it matched 'NTauth'
2003/06/30 15:54:38| The reply for GET
http://www.marriott.com/shared/Images/headers/tab_rewards.gif is
ALLOWED, because it matched 'all'
2003/06/30 15:54:38| The request GET
http://www.marriott.com/shared/Images/headers/tabRoll_specials_packages.
gif is ALLOWED, because it matched 'NTauth'
2003/06/30 15:54:38| AuthenticateNTLMHandleReply: invalid callback data.
Releasing helper '0x64b718'.
2003/06/30 15:54:38| The request GET
http://www.marriott.com/images/home/packGolf_pic.jpg is ALLOWED, because
it matched 'NTauth'
2003/06/30 15:54:38| The reply for GET
http://www.marriott.com/shared/Images/headers/tabRoll_find_reserve.gif
is ALLOWED, because it matched 'all'
2003/06/30 15:54:38| The request GET
http://www.marriott.com/shared/Images/headers/tabRoll_explore_plan.gif
is ALLOWED, because it matched 'NTauth'
2003/06/30 15:54:38| The reply for GET
http://www.marriott.com/shared/Images/headers/tabRoll_specials_packages.
gif is ALLOWED, because it matched 'all'

Both an hour earlier and an hour later I see "helperStatefulDefer: None
available." Messages.

Then I see
2003/06/30 17:05:28| helperStatefulDefer: None available.
2003/06/30 17:05:28| WARNING: All ntlmauthenticator processes are busy.
2003/06/30 17:05:28| WARNING: 10 pending requests queued
2003/06/30 17:05:28| Consider increasing the number of ntlmauthenticator
process
es in your config file.

Later on I have more invalid callback data messages, and I probably had
about 15 more before the day was over.
2003/06/30 19:47:34| The reply for GET
http://by4fd.bay4.hotmail.msn.com/cgi-bin
/HoTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is
ALLOWED, becau
se it matched 'all'
2003/06/30 19:47:34| The request GET
http://by4fd.bay4.hotmail.msn.com/cgi-bin/H
oTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is DENIED,
because
it matched 'NTauth'
2003/06/30 19:47:34| The reply for GET
http://by4fd.bay4.hotmail.msn.com/cgi-bin
/HoTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is
ALLOWED, becau
se it matched 'all'
2003/06/30 19:47:39| AuthenticateNTLMHandleReply: invalid callback data.
Releasi
ng helper '0x64b718'.
2003/06/30 19:47:41| AuthenticateNTLMHandleReply: invalid callback data.
Releasi
ng helper '0x64d7c8'.
2003/06/30 19:47:41| AuthenticateNTLMHandleReply: invalid callback data.
Releasi
ng helper '0x64f878'.
2003/06/30 19:47:41| The request GET
http://by4fd.bay4.hotmail.msn.com/cgi-bin/H
oTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is ALLOWED,
because
 it matched 'NTauth'
2003/06/30 19:47:41| The reply for GET
http://by4fd.bay4.hotmail.msn.com/cgi-bin
/HoTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is
ALLOWED, becau
se it matched 'all'

In squid.conf I have
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

This is with only 20 users... is bumping auth_param ntlm children up to
the maximum of 32 really the solution? Eventually we expect to have a
few hundred users on this. After seeing
http://www.squid-cache.org/mail-archive/squid-dev/200305/0051.html I
wonder if there is something else wrong?

Thanks for any info,
~ Daniel

-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.
Received on Tue Jul 01 2003 - 07:03:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:47 MST