Re: [squid-users] Problems authenticator on huge systems

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>
Date: Thu, 13 Oct 2011 08:49:33 -0500

2011/10/13 Francesco <frantz_at_itcserra.net>:
> Hello,
>
> in a proxy server with some hunderds of users, i experience temporary
> problems with ntlm authentication; Squid says access deny for some
> minutes, then everything returns working without any actions.
>
> In cache.log i noticed these errors:
> AuthNTLMUserRequest::authenticate: attempt to perform authentication
> without a connection!
>
> I raised up the per-process max open files to 4096; do you think i am low
> of authenticator process (200)?
> Could it be this the problem?
>
> I have no cache on ntlm auth helper...
>
> Thank you,
> Francesco
>

HELO Franchesco,

My first toughts is you shall consider a ntlm cache, about 5 minutes.
The fact is, that NTLM authentication does not work as basic
authentication. I mean, in basic authentication, once the browser
sends credentials, it always send credentials each time without
requesting them again. In ntlm, as my understanding, it is quite
different, browsers after a lapse of time will stop sending
credentials (the hash). So a cache will really offload the samba/AD
you are forwarding auth requests.

Taking as a reference your message, and without other evidence, i
guess problem is not between browser-squid, it could be
squid-ad/samba.

LD
http://www.twitter.com/ldlq
Received on Thu Oct 13 2011 - 13:49:40 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 13 2011 - 12:00:04 MDT