This is a discussion on Re: [Samba] winbindd: Exceeding 200 client connections,no idle connection found - Samba ; Jason Haar wrote: > Elvar wrote: >> >> Yes, Squid comes with it's own NTLM AUTH mechanism but it does not >> support the --require-membership option which allows me to force >> users to be a part of a specific ...
Jason Haar wrote:
> Elvar wrote:
>> Yes, Squid comes with it's own NTLM AUTH mechanism but it does not
>> support the --require-membership option which allows me to force
>> users to be a part of a specific "internet access" group. That's why
>> I'm using winbindd.
> This isn't the trusted domain issue that showed up about a month ago
> is it? i.e do you have trusted domains where their domain controllers
> are some distance away over a WAN link?
> You don't mention it explicitly, but I'm guessing you're using NTLM
> proxy authentication? As such it means Squid (and winbind for that
> matter) cannot cache any of the authentication requests - they all
> must go through to the backend domain controllers. And if they are
> remote (ie high latency compared with LAN-connected DCs), Squid and
> winbind will spend more and more resources tracking outstanding
> authentication requests. e.g. a single Web page may contain 10+ images
> - that's 11 auth attempts - and with NTLM that means 33 HTTP
> transactions - for one Web page! If you have just a handful of users
> from remote domains, they will swallow a disproportionate amount of
> your authentication resources. There's a bit of HTTP/1.1 Keepalive
> reuse that speeds things up - but effectively it's a cow.
> If you can stomach the lack of encryption, go back to Basic proxy
> authentication - squid can cache the hell out of that! I bet you'll
> find all your problems disappear.
I meant to respond to this a long time ago and I'm sorry for the delay.
Yes, I'm using NTLM to authenticate the users to Active Directory
requiring specific group membership. If the users don't belong to group
"Internet Access" they are denied out. I can stomach the lack of
encryption, but with basic proxy auth can they still authenticate to AD?
To unsubscribe from this list go to the following URL and read the