[squid-users] Enhancing NTLM Authentication to Remote Site Active Directory server

From: Oguz Yilmaz <oguzyilmazlist_at_gmail.com>
Date: Tue, 1 Nov 2011 11:53:34 +0200

Hi,

We use NLTM Authentication with Squid is some setups.On hose setup
local machine joins active directory and squid ntlm_auth helper
authenticate through local samba service. Users transparently
authenticate through NTLM authentication handshake on HTTP without
entering any password in their browser.

However, in some cases, branch offices has no local active directory
copy. Branch office is connected to the headquarters through a IPSEC
vpn. I can join the branch office samba to the headquarter active
directory domain and set NTLM authentication on Squid up correctly.

This setup has a weakness inherited from high latency, packet loss of
some other things that I dont know about samba. 3-4 times in a day
users get prompted with user name password authentication popup on
their browser. Sometimes this recovered naturally in a few minutes.
However, it requires rejoining to the domain in come cases. (wbinfo -t
gives error and wbinfo -l can not list users).

I have made some tunings in samba:

   getwd cache = yes
   winbind cache time = 3000
   ldap connection timeout = 10
   ldap timeout = 120

This decreased error rate to 1 per day.

Which other tunings can I do on samba and squid? I need your experiences.

Best Regards,

squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid AD Auth
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

/etc/samba/smb.conf:

[global]
   netbios name = SQUID
   realm = MY.DOM
   workgroup = my.dom
   security = ads
   encrypt passwords = yes
   password server = 172.16.5.10
   log level = 3
   log file = /var/log/samba.log
   ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000

   winbind separator = /
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

   domain master = no
   local master = no
   preferred master = no

   template shell = /sbin/nologin

   getwd cache = yes
   winbind cache time = 3000
   ldap connection timeout = 10
   ldap timeout = 120

/etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY.DOM
 default_tkt_enctypes = rc4-hmac des-cbc-crc
 default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false

 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 MY.DOM = {
  kdc = 172.16.5.10
  admin_server = 172.16.5.10
  default_domain = MY.DOM
 }

[domain_realm]
 .ronesans.hol = MY.DOM
  ronesans.hol = MY.DOM

--
Oguz YILMAZ
Received on Tue Nov 01 2011 - 09:54:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Nov 02 2011 - 12:00:04 MDT