ntlm_auth account lockout problem

Andrew Bartlett abartlet at samba.org
Wed Jan 7 21:48:45 GMT 2004

On Wed, Jan 07, 2004 at 09:51:36AM -0600, Dave Augustus wrote:
> Hello to those of you using ntlm_auth with Squid in a Windows PDC
> environment!
> We have installed Squid in a test config but a problem has cropped up
> where users accounts are being "locked out" randomly. This will happen
> while they are surfing - an auth will popup and their account is then
> locked.

That's a rather interesting problem I've not seen before.  Account
lockout occours because too many wrong passwords have been sent to the
DC.  What is the limit at your site?

> Any insight?
> Here is my squid config:
> (yes, I am using Samba V3's ntlm_auth, not squid's)
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5

Up this.

> auth_param ntlm max_challenge_reuses 5

Set this to 0

> auth_param ntlm max_challenge_lifetime 10 minutes

and set this to 0.  The challenge re-use code *might* be getting
something wrong.  That's the only thing I can think of that would
cause this :-(

> squid 2.5stable4 on Redhat 9
> kerberos 1.3.1
> Samba V3
> Windows PDC on W2K

This looks pretty normal.

Andrew Bartlett

More information about the samba-technical mailing list