ntlm_auth account lockout problem

Dave Augustus davea at support.kcm.org
Fri Jan 9 11:53:44 GMT 2004


Answers embedded....

On Wed, 2004-01-07 at 15:48, Andrew Bartlett wrote:
> On Wed, Jan 07, 2004 at 09:51:36AM -0600, Dave Augustus wrote:
> > Hello to those of you using ntlm_auth with Squid in a Windows PDC
> > environment!
> > 
> > We have installed Squid in a test config but a problem has cropped up
> > where users accounts are being "locked out" randomly. This will happen
> > while they are surfing - an auth will popup and their account is then
> > locked.
> 
> That's a rather interesting problem I've not seen before.  Account
> lockout occours because too many wrong passwords have been sent to the
> DC.  What is the limit at your site?
> 

The limit is 5


> > Any insight?
> > 
> > Here is my squid config:
> > (yes, I am using Samba V3's ntlm_auth, not squid's)
> > 
> > 
> > auth_param ntlm program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 5
> 
> Up this.

set it to 15 

> 
> > auth_param ntlm max_challenge_reuses 5
> 
> Set this to 0

ok- done

> 
> > auth_param ntlm max_challenge_lifetime 10 minutes
> 
> and set this to 0.  The challenge re-use code *might* be getting
> something wrong.  That's the only thing I can think of that would
> cause this :-(
> 

This problem occurs 5-10 times a day for various users. I am going to
attempt to use 3.0.2pre1. Can I use ONLY the ntlm_auth from that release
or *must* I use all the samba components together?

> > 
> > squid 2.5stable4 on Redhat 9
> > kerberos 1.3.1
> > Samba V3
> > 
> > Windows PDC on W2K
> > 
> 
> This looks pretty normal.
> 
> Andrew Bartlett


Thanks,
Dave



More information about the samba-technical mailing list