RE: [squid-users] NTLM auth popup boxes && Solaris 8 tuning for upgrade into 2.7.4

From: <vincent.blondel_at_ing.be>
Date: Fri, 14 Nov 2008 17:24:30 +0100

>>>
>>>hello all,
>>>
>>>I currently get some sun v210 boxes running solaris 8 and
squid-2.6.12
>>>and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next
>>>monday but before doing this I would like to ask you your advices
>> and/or
>>>experiences with tuning these kind of boxes.
>>>
>>>the service is running well today except we regularly get
>> authentication
>>>popup boxes. This is really exasperating our Users. I already spent
lot
>>>of times on the net in the hope finding a clear explanation about it
>> but
>>>i am still searching. I already configured starting 128 ntlm_auth
>>>processes on each of my servers. This gives better results but
problem
>>>still remains. I also made some patching in my new package I will
>> deploy
>>>next week by overwrting some samba values .. below my little patch ..
>>>
>

first of all, man thanks to enter this discussion in order to help me
solve my problems ..

>Before digging deep into OS settings check your squid.conf auth, acl
and
>http_access settings.

okay let's go concerning auth part of the squid.conf, I would like to
say, nothing special .. below the ntlm config part

auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 128
auth_param ntlm keep_alive on
acl ntlmauth proxy_auth REQUIRED
...
http_access allow ntlmauth all
http_reply_access allow all
http_access deny all
deny_info TCP_RESET all

>Check the TTL settings on your auth config. If it's not long enough
squid
>will re-auth between request and reply.

not really sure to understand what setting you are speaking about ??

>
>For the access controls there are a number of ways they can trigger
>authentication popups. %LOGIN passed to external helper, proxy_auth
>REQUIRED acl, and an auth ACL being last on an http_access line.
>

if I good understand you get requested config line above ..

>Also, interception setups hacked with bad flags to (wrongly) permit
auth
>can appear working but cause popups on every object request and also
leak
>clients credentials to all remote sites that use auth.

what kind of interception are you speaking about ??

>
>Amos
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Received on Fri Nov 14 2008 - 16:24:42 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 19 2008 - 12:00:04 MST