Re: [squid-users] NTLM auth popup boxes

From: Elvar <elvar@dont-contact.us>
Date: Fri, 18 Jan 2008 12:20:11 -0600

Hello all, something I wanted to add to this thread which I thought may
have something to do with the problem is the following I'm consistently
seeing in my squid cache log...

[2008/01/18 12:16:28, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
  got NTLMSSP command 3, expected 1
[2008/01/18 12:18:07, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
  got NTLMSSP command 3, expected 1
[2008/01/18 12:19:05, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
  got NTLMSSP command 3, expected 1
[2008/01/18 12:19:20, 1] libsmb/ntlmssp.c:ntlmssp_update(259)
  got NTLMSSP command 3, expected 1

Would that be the cause of my auth popup boxes in browsers? If so, is
this fixable yet? I ran across this thread while searching for those
errors...

http://www.squid-cache.org/mail-archive/squid-users/200606/0362.html

Kind regards,
Elvar

Amos Jeffries wrote:
>> Adrian Chadd wrote:
>>
>>> On Sat, Nov 03, 2007, Elvar wrote:
>>>
>>>
>>>> Hello all,
>>>>
>>>> I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is
>>>>
>
> Please upgrade to STABLE17. There is a security problem in earlier releases.
>
>
>>>> configured to authenticate users to the Active Directory database via
>>>> the NTLM plugin. The problem I'm having is that approximately every
>>>> other day or sometimes sooner or sometime longer, users start getting a
>>>> popup box asking for auth credentials. Normally this is not the case as
>>>> it's handled automatically in the background. I'm forced to restart the
>>>> squid proxy server to resolve this. One thing I notice is that every
>>>> time it happens the number of squid child processes is greater than the
>>>> number listed in squid.conf. Currently I'm set at 'auth_param ntlm
>>>> children 150'. I'm not sure what is causing this login popup box but
>>>> it's really upsetting my users and I need to figure out a solution. Has
>>>> anyone else experienced this? Any have any suggestions?
>>>>
>>>>
>>> A couple of possibilities:
>>>
>>> * Samba can't keep up with your request rate
>>> * Squid is blocking and missing out on processing the NTLM
>>> authentication
>>> results
>>>
>>> I suggest a few things:
>>>
>>> * How busy is the cache? Do you have graphs? If not, compile with snmp
>>> support and start graphing whatever you can
>>>
>>> * Look at your load and see if you're better off with aufs than ufs;
>>> aufs won't block (as much!) and should free Squid up to handle the
>>> helper replies quicker;
>>>
>>> * I've seen this happen at "back from lunch" enterprise situations where
>>> a few hundred people come back and fire up their browsers at the same
>>> time, overloading the NTLM authentication mechanism. Henrik's
>>> authentication IP caching patch (ntlm_ip_cache? I forget now) seems
>>> to do the trick but it comes with certain use restrictions.
>>> This depends on how busy your caches are; see point 1.
>>>
>>>
>>>
>>> Adrian
>>>
>>>
>>>
>>>
>> Well, I've set up squid-rrd now on two different boxes at two different
>> locations to monitor performance and it doesn't appear that Squid is
>> being overworked. Is there a way to possibly increase the TTL for
>> queries against Active Directory? I've been battling with this problem
>> for months now and cannot for the life of me figure out what's causing
>> the problem.
>>
>>
>>
>> Thanks,
>> Elvar
>>
>>
>>
>>>> squid.conf listed below
>>>>
>>>> Kind regards
>>>> Elvar
>>>>
>>>> ################ Begin squid.conf ################
>>>>
>>>> acl localnet src 192.168.0.0/16
>>>> http_port 192.168.0.1:3128
>>>> hierarchy_stoplist cgi-bin ?
>>>> acl QUERY urlpath_regex cgi-bin \?
>>>> cache deny QUERY
>>>> acl all src 0.0.0.0/0.0.0.0
>>>> cache_dir ufs /usr/local/squid/cache 500 16 256
>>>> access_log /usr/local/squid/logs/access.log squid
>>>> #cache_log none
>>>> cache_log /usr/local/squid/logs/cache.log
>>>> cache_store_log none
>>>> emulate_httpd_log off
>>>> log_mime_hdrs on
>>>> check_hostnames off
>>>> auth_param ntlm keep_alive on
>>>>
>>>> auth_param ntlm program /usr/local/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp
>>>> --require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445
>>>> auth_param ntlm children 150
>>>> #auth_param ntlm max_challenge_reuses 0
>>>> #auth_param ntlm max_challenge_lifetime 5 minutes
>>>>
>>>> #auth_param basic program /usr/local/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp
>>>> #auth_param basic children 5
>>>> #auth_param basic realm WT
>>>> #auth_param basic credentialsttl 2 hours
>>>>
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern . 0 20% 4320
>>>>
>>>> ### Needed for Windows Update to work ###
>>>> acl windowsupdate dstdomain .windowsupdate.microsoft.com
>>>> acl windowsupdate dstdomain .update.microsoft.com
>>>> acl windowsupdate dstdomain .download.windowsupdate.com
>>>> acl windowsupdate dstdomain .c.microsoft.com
>>>> acl windowsupdate dstdomain .download.microsoft.com
>>>> http_access allow windowsupdate localnet
>>>> ##########################################
>>>>
>>>>
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl SSL_ports port 443 563
>>>> acl Safe_ports port 80 # http
>>>> acl CONNECT method CONNECT
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 563 # https, snews
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl AuthorizedUsers proxy_auth REQUIRED
>>>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow all AuthorizedUsers
>>>>
>
> Ah, here is part of the problem.
> Using this 'all' hack to silence the login box it needs 'all' to be at
> the very end of the line. Otherwse all has no meaning there.
>
> http_access allow AuthorizedUsers all
>
>
>
>>>> http_access deny all
>>>>
>>>> http_reply_access allow all
>>>> icp_access allow all
>>>>
>>>> cache_effective_user squid
>>>>
>>>> visible_hostname example.com
>>>>
>>>> logfile_rotate 20
>>>>
>>>> coredump_dir /usr/local/squid/cache
>>>>
>>>> ######################### End squid.conf ########################
>>>>
>>>>
>>>
>>
>
>
>
Received on Fri Jan 18 2008 - 11:20:25 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST