Active Directory
--
Questions
--
Followers
Top Experts
Squid / ntlm_auth problems
There is a problem where all the ntlm authenticator processes stop responding, and Internet traffic halts. Below is the part of the cache.log file when this occurs.  All traffic comes from a content switch so in the proxy logs there is only one IP address. We are running squid 2.6 stable 9 and can only go up to squid 2.6 stable 17 since we have smartfilter compiled into squid, and they will only support up to that version with there latest version of smartfilter.  I would like to have a better understanding of what occurs when the someone goes out to the Internet so I can look at what happens.  I have done  strace -p on the process ID for the ntlm_auth program, and tcpdumps on all the traffic, but this yields lots of data and I am not sure what is extraneous and what is actually happening.  Does anyone have any ideas what the problem might be or other ways to dissect what is happening?
What I have noticed is this:
client -> proxy (HTTP Get google)
proxy -> client (407 not authorized NTLM auth)
client -> proxy (HTTP Get google NTLM NEGOTIATE YR) TlRMTVNTUAABAAAAB7...
proxy -> clent (407 not yet NTLM CHALLENGE TT) TlRMTVNTUAACAAAABg...
client -> proxy (HTTP Get google NTLM AUTH KK) TlRMTVNTUAADAAAAGA... Domain\UserID
At this point I think the proxy checks something against the Domain Control and when it is okay, it then gets the page from the firewall and returns it to the client.
Can anyone verify that this is how the NTLM authentication happens, and where are these NTLM strings being created from, I have only listed part of them since they are so long. Â I have a good understanding of squid but not so much of NTLM and Active Directory.
What I have noticed is this:
client -> proxy (HTTP Get google)
proxy -> client (407 not authorized NTLM auth)
client -> proxy (HTTP Get google NTLM NEGOTIATE YR) TlRMTVNTUAABAAAAB7...
proxy -> clent (407 not yet NTLM CHALLENGE TT) TlRMTVNTUAACAAAABg...
client -> proxy (HTTP Get google NTLM AUTH KK) TlRMTVNTUAADAAAAGA... Domain\UserID
At this point I think the proxy checks something against the Domain Control and when it is okay, it then gets the page from the firewall and returns it to the client.
Can anyone verify that this is how the NTLM authentication happens, and where are these NTLM strings being created from, I have only listed part of them since they are so long. Â I have a good understanding of squid but not so much of NTLM and Active Directory.
2008/02/29 11:17:33| WARNING: All ntlmauthenticator processes are busy.
2008/02/29 11:17:33| WARNING: up to 126 pending requests queued
2008/02/29 11:17:33| Consider increasing the number of ntlmauthenticator processes to at least 226 in your config file.Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
it is a know bug in squid 2.6 please read the following bug report , as I see a patch is released too.
http://www.squid-cache.org/bugs/show_bug.cgi?id=1681
http://www.squid-cache.org/bugs/show_bug.cgi?id=1681
I think that this patch is specifically for the ntlm_auth that is part of squid. Â We are however using the ntlm_auth that is part of samba.
auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.
auth_param ntlm children 100
Though this sounds like the same problem, I don't think patching squid will fix it.  Maybe someone can explain where the holdup is in this strace -p  The (Timeout) is this on the server or in the commuication to the DC:
auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.
auth_param ntlm children 100
Though this sounds like the same problem, I don't think patching squid will fix it.  Maybe someone can explain where the holdup is in this strace -p  The (Timeout) is this on the server or in the commuication to the DC:
read(0, "YR TlRMTVNTUAABAAAAB7IIogMAAwAzA"..., 1024) = 76
read(3, "\206J\25\345+\5\204\317", 8) = 8
write(1, "TT TlRMTVNTUAACAAAABgAGADAAAAAFg"..., 204) = 204
read(0, "KK TlRMTVNTUAADAAAAGAAYAHIAAAAYA"..., 1024) = 220
select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout)
write(5, "$\10\0\0\r\0\0\0\247\3\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0"...,
2084) = 2084
select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout)
select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout)
select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout)
select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout)
select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout)
select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {3, 343000})
read(5, "\264\f\0\0\2\0\0\0\0\0\0\0NT_STATUS_OK\0\0\0\0\0\0\0\0"...,
3240) = 3240
select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {5, 0})
read(5, "HDQ\\voj9088\0", 12) = 12
write(1, "AF HDQ\\voj9088\n", 15) = 15ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.