El 24/03/2011 14:45, Amos Jeffries escribió:
> On 24/03/11 22:56, Francisco José Márquez Gómez wrote:
>> Hi friends,
>>
>> I'm suffering a speed problem when I use NTLM for auth users. If I use
>> basic auth, all work fine and webpages load almost instantaneous, but
>> when I enable NTLM, same webpages can took 10-30seconds to load it....
>>
>
> NTLM is designed to take 2x the HTTP traffic just to authenticate.
> With older Squid such as yours the connections are often closed very
> fast and every re-open has to re-authenticate from scratch.
> Turning persistent connections ON can reduce the load a bit. This is
> not perfect in older squid, just a reduction.
Are you referring to the option "auth_param ntlm keep_alive on"? Does
this option work better in recent versions?
> (...)
>> I've used this guide for setup my server:
>> -----------------------------------------------------
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
>>
>> My unique changes over squid.conf are this:
>> --------------------------------------------------------------
>>
>> cache_effective_group wbpriv
>
> Setting "cache_effective_group" causes problems with winbind.
>
> In order for Squid and winbind to operate well together this
> directive must be not-set.
>
> I see that this is a RHEL package. RHEL patch the
> cache_effective_group setting to always have a value. Which prevents
> your OS security from assigning a proxy group for web access AND a
> winbind_priv group for winbind access.
> SOLUTION: self-build a squid without that RHEL patch.
>
> Then on the command line add the Squid low-privilege user to the
> winbind privileges group. Details are here:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
>
>
> (mind the wrap)
I will try it. I had to setup a cache_effective_group because I was
having permission problem with pipe access and this was the unique
option that worked well. Maybe the RHEL patch was the cause.
> (...)
>> Somebody can help me?? Is mandatory for me can remove the stupid
>> authentication popup wich show all browser for proxy authentication.
>
> Removing the popup is not possible. As you have seen even NTLM can do
> popups. This is because the popup is a browser feature to fetch
> credentials when it cannot find any working local ones.
> "Single sign-on" works for any auth method. It only requires that the
> browser have access to the credentials.
>
> That said the popups are seen with NTLM due to:
> 1) the browser cannot retrieve NTLM login credentials from the system.
> 2) the credentials the system gave the browser cannot be validated by
> Squid.
> 3) some older squid had bugs which would reject good credentials (rare)
>
> winbind privilege problems is a likely reason for (2). That wiki page
> I referenced has a section on testing the setup. Try all that to see
> if you can confirm the problem cause.
>
> incorrect client system configuration is the reason for (1).
>
> (3) is relatively rare. But could be noticed particularly if many
> requests were opened simultaneously. Since it bites on double-auth
> while squid is waiting for an auth response.
>
Yes, the popup is a browser feature to fetch credentials, but the unique
method I know for get "single sign-on" (contrary to what your said) is
use NTLM (as you say, exist some scenarios when it fail, but until now,
I haven't had those problems). My browsers (firefox or IE) always show
popup at first open if I use basic authentication in squid. I don't
understand why the browsers doesn't offer an option for save AND use
credential transparently in basic mode, but is thus and this is why I
want use NTLM.
The first popup when I open the browser is a minor problem. The problem
is that many times, web applications opens a new window or an applet
requires press the accept button of a new authentication popups.
This stupid scenario is caused by browsers, but I don't know any manner
for fix it different from implement NTLM.
>> Prior to squid, we were using MS ISA server and now, users are
>> constantly crying because his browsers shows authentication popups each
>> time they open it...
>
> This behaviour (*one* popup on a new browser session) indicates that
> the users OS is not giving their browser their current machine login
> to use for accessing the proxy. (1) above.
>
This behaviour only happen when I use basic autentication in squid. And
if I check the box in browser for save credential, the popup is showed
with username and password wrote on it, I only need press enter, but the
problem is that the popup is showed. Is annoying. If I enable NTLM
doesn't happen, so I need use NTLM, but my problem is the speed.
> FWIW;
> Microsoft wrote both NTLM specs and ISA proxy. Other software is
> still trying to catch up and cope with their designs. We mostly have
> the browser behaviour as a known thing. There are still issues with
> things that non-browser Microsoft software do when talking to proxies.
>
> To have a closely comparable Squid vs ISA experience you will need
> Squid-3.1.10 or later.
>
>
I will try it. Thank you.
Received on Fri Mar 25 2011 - 08:54:54 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 25 2011 - 12:00:03 MDT