On Thu, 26 Oct 2000, Chemolli Francesco (USI) wrote:
> It depends on your definition of "user". If with youser you
> mean a domain\username entity, we can't do that. We get
> to know that only at the end of the authentication handshake.
Oh, IC. I didn't know that.
> If you mean IP address, that could maybe be arranged. Performance
> would decrease probably. The ntlm cache Robert wrote last week
> should help greatly improve the hit-ratio and the overall performance.
>
> > Ideally there should be one process per user and the pw
> > cache in squid
> > itself (or shared mem between ntlm-auth processes), IMHO.
>
> The former is not a good idea (too many processes),
> the latter is done.
Done for a long time (1-2 weeks) or should I download a new CVS version?
I'm under the impression it does not work, at least there are plenty
authentications for the same user. Maybe cause he started a second
IE or it changed its 'key' (what is send to squid). At second glance
I cannot find an instance where it does not find the exact same key on a
second auth process. But I also cannot find one where it does.
So in my case the same <user> is authenticated again and again
(differing key (challenges?) until it finally fails.
> I thought there were protections against this behaviour,
> but it might be I missed something.
> Please try a bigger challenge expiry timeout, and see if
I already did that. It was one of my first reactions. I raised the
housekeeping from 60 to 1800 then 3600 and the challenge refresh
from 1800 default to 3600 then 7200.
The problem stays but seems to be a *tiny little* less frequent.
It's definitely more often than the challenge refresh time.
> That will be added as soon as I can get to work on that.
> Be warned though that this will be an horrible performance hit,
> both in terms of response time and in terms of DC load.
Well, I doubt it, since it already does that anyway because right now I
already see every second or at least third actual authentication fail and
lead to a reconnect. In the long term: Initial authentication of new IE to
squid is already slow. If there are enough processes so each new user gets
one I don't see a problem. Most of the time the ntlm-auth cache should be
consulted.
For the moment I'd rather prefer a slow logon.
> It will wait.
Yep, I got that hint from Robert before I had asked. We are trying that
now. Stay tuned for results.
Michael.
-- Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de, or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on any machine in the net, it's very likely it's me. -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Thu Oct 26 2000 - 08:14:34 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:58 MST