Re: [squid-users] NTLM-auth with computers that are not in the domain

From: E.S. Rosenberg <esr_at_g.jct.ac.il>
Date: Tue, 28 Jun 2011 17:42:21 +0300

2011/6/28 Amos Jeffries <squid3_at_treenet.co.nz>
>
> On 28/06/11 23:23, E.S. Rosenberg wrote:
>>
>> Hi,
>> We recently switched to an NTLM based setup and tehre is one quite
>> annoying fluke for users that are not in the domain, when they open
>> their browser they get multiple auth requests.
>
> Well. Yes. That is how NTLM is supposed to provide security better than Digest. Users who don't have credentials checked by the DC can't authenticate.
>
> Or are you using the words "in the domain" in a different meaning to what NTLM uses for in and out of domain? (registered with the DC "in" and not registered "out" / general public machines)
I mean linux stations that authenticate against LDAP, or windows
stations that for whatever reason have local accounts instead of
domain accounts.
Regards,
Eli
>
>>
>> This is probably because the browser issues multiple requests and
>> therefor gets multiple 407s back from squid, is there any way to avoid
>> this? To make sure that the user only needs to type his/her password
>> once (if they don't make a mistake)?
>
> maybe yes, maybe no. Depends on your version of Squid. We have had people do a lot of deep analysis of NTLM behaviour and fix many problems thoughout the 3.1 series. Some were only fixable in 3.2 betas due to the nature of changes.
>
> The big thing to be aware of is that persistent connections is not optional. They are REQUIRED.
>
> Also depends on the users system. The browser is what makes the choice to (a) open that many connections at once, and (b) do the popup. NTLM credentials are Single-Signon, supposedly provided to the browser by the operating system. The user should not actually ever see even one popup from the browser. The popup is an effort of last resort for browsers.
>
>
>>
>> For a user like me that when opening the browser is restoring tens if
>> not hunders of tabs the amount of auth requests can be quite
>> frustrating.
>
> The browser cant find your credentials from your machine login, OR the proxy cannot verify them once they are handed over.
>
>>
>> A different question:
>> I shortened the shutdown_lifetime to 5 seconds (from the default 30
>> seconds) so that downtime when I change a setting that requires a
>> restart instead of a reload is shorter, is there any reason to not
>> shorten this (possibly even to 1 or 0?)?
>
> shutdown_lifetime is the amount of time Squid is allowed to spend on a full save of the cache index and finishing clients requests. The smaller it is the more clients see failures and the longer startup times Squid may have while rebuilding a broken index from scratch before it can start operating at full speed.
>
>> I can live with a download having to be done again but half the campus
>> not browsing is much less ideal...
>>
>> Thanks and regards,
>> Eli
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.9 and 3.1.12.3
Received on Tue Jun 28 2011 - 14:42:29 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT