[squid-users] Squid Samba 4 and ntlm_auth concurrency question

Amos Jeffries squid3 at treenet.co.nz
Sun Aug 21 13:15:42 UTC 2016 

On 21/08/2016 1:34 a.m., David Webb wrote:
> 
> I'm currently using the binary version of squid provided by yum with
> RHEL 7.2  (3.3.8) with Samba 4's  winbind ntlm_auth to authenticate
> against AD which is working fine
> 
> auth_param negotiate program /usr/bin/ntlm_auth
> --helper-protocol=gss-spnego
> auth_param negotiate children 250  startup=2 idle=1
> auth_param negotiate keep_alive off
> #
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 250  startup=2 idle=1
> auth_param ntlm keep_alive off
> #
> 
> However I'm wondering if I can reduce the number of  ntlm_auth processes
> created by introducing some concurrency.
> 
> I've seen mention of helper-mux.pl but from what I've seen on the web
> I'm not sure if this will work with negotiate and ntlm.
> Also it  looks like in the future with Squid 4  helper-mux.pl is being
> retired.

Should not be. The use cases and need for it still exists. The way it
works needs to be completely different for the new ID numbering scheme
is all. So the Squid-3 version of the helper is not forward-compatible.

The Squid-4 helper should work** in any Squid version still. If its not
working that is a bug in Squid-4 we want to hear about.

** except on Logging, pinger, NTLM and Negotiate helper interfaces.


> I've also seen some mention of Samba 4 building in some concurrency
> itself into ntlm_auth but I'm not sure that this is fully supported.
> 
> So my question is what is the current state of play for squid 3.x (and
> upcoming squid 4) with respect to negotiate and ntlm concurrency with
> samba4 ?

Squid does not support concurrency in the NTLM and Negotiate helper API
lookups. The helpers apparently do, but Squid wont do it. Not even
enough to experiment with yet.

NTLM has been deprecated for 10 years now (as of this month IIRC). You
should really not have many (or any) Windows 95/98/2k clients needing to
use it. Yes, even XP supports Kerberos.

The only way to reduce load with NTLM is to enable persistent HTTP
connections to clients (and servers where possible) - unrelated to that
"keep_alive off" setting. The more requests your clients can make on a
single connection without having to re-authenticate from scratch the
better. This also helps with Kerberos auth load as they upgrade.

Amos

More information about the squid-users mailing list