RE: [SQU] Fw: NTLM authentication, recent logs for Robert Collins

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 30 Oct 2000 08:47:16 +1100

> -----Original Message-----
> From: Dr. Michael Weller [mailto:eowmob@exp-math.uni-essen.de]
> Sent: Monday, 30 October 2000 4:12 AM
> To: Robert Collins; Chemolli Francesco (, USI)
> Cc: squid-users@ircache.net
> Subject: Re: [SQU] Fw: NTLM authentication, recent logs for Robert
> Collins
>
>
> On Fri, 27 Oct 2000, Dr. Michael Weller wrote:
>
> > From my logs (but they are too short for a long term
> experience) it seems
> > the default challenge refresh of 1800 secs would suffice.
> Anything close
> > to or over 40 minutes definitely does not. I'll run with
> 900 secs for now
> > in all installations and see if this removes the last authentication
> > failures.
>
> Hmm, seems challengerefresh appears only at min or gcd (-k,
> -c). With 1h
> challenge refresh I got still a few errors (about 1/(1..2
> hours)). I'm now
> back to default (-k 60, c 1800) but 1 authenticator only and
> will see how
> it behaves.
>
> I think you should definitely make 1 auth default in squid.conf and a
> comment warning to change it (for now).
>
> Michael.
>
> P.S.: Any real ideas how to deal with it, rather than
> circumventing the
> bug? Even w/o getting the source from St. Petersburg it might
> be possible
> to snoop on the net connection between an MS-Proxy and a DC
> and see what
> it does.

Yes - become a domain member server and use PassThrough authentication.
It has a lot of benefits, but substantially more work to get it going...

From a technical angle: at the moment each helper connects to the DC,
negotiates the wire-level protocol (buffer size/ASCII/UNICODE/ntlm
version...) and then requests a challenge. Subsequent to that on each
auth request (not forgetting the handshake.. just looking at the
DC-helper section) it wants to authenicate, it calls SMBSessionSetupX
and logs in as the user. This creates a new login for the user for each
helper for each challenge!

What we are talking about doing is using the SAMBA functionality that
allows a un*x box to be a Member server in a domain. We should be able
to combine some calls from there to end up with what is called a
"credentials chain" to the DC. The big thing about the credentials chain
is that we get to choose the challenge. So we can randomly pick a
challenge. Drop it somewhere (Shared memory/logs/ntlm_auth_challenge
whatever) and then tell all the helpers to use the same challenge. This
will increase cache hits and decrease DC utilization. We then rotate the
challenge at whatever interval we think is appropriate.

Rob

>
> --
>
> Michael Weller: eowmob@exp-math.uni-essen.de,
> eowmob@ms.exp-math.uni-essen.de,
> or even mat42b@spi.power.uni-essen.de. If you encounter an
> eowmob account on
> any machine in the net, it's very likely it's me.
>
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Oct 29 2000 - 14:51:07 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:01 MST