ntlm_auth account lockout problem
Dave Augustus
davea at support.kcm.org
Fri Jan 9 11:53:44 GMT 2004
Answers embedded....
On Wed, 2004-01-07 at 15:48, Andrew Bartlett wrote:
> On Wed, Jan 07, 2004 at 09:51:36AM -0600, Dave Augustus wrote:
> > Hello to those of you using ntlm_auth with Squid in a Windows PDC
> > environment!
> >
> > We have installed Squid in a test config but a problem has cropped up
> > where users accounts are being "locked out" randomly. This will happen
> > while they are surfing - an auth will popup and their account is then
> > locked.
>
> That's a rather interesting problem I've not seen before. Account
> lockout occours because too many wrong passwords have been sent to the
> DC. What is the limit at your site?
>
The limit is 5
> > Any insight?
> >
> > Here is my squid config:
> > (yes, I am using Samba V3's ntlm_auth, not squid's)
> >
> >
> > auth_param ntlm program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 5
>
> Up this.
set it to 15
>
> > auth_param ntlm max_challenge_reuses 5
>
> Set this to 0
ok- done
>
> > auth_param ntlm max_challenge_lifetime 10 minutes
>
> and set this to 0. The challenge re-use code *might* be getting
> something wrong. That's the only thing I can think of that would
> cause this :-(
>
This problem occurs 5-10 times a day for various users. I am going to
attempt to use 3.0.2pre1. Can I use ONLY the ntlm_auth from that release
or *must* I use all the samba components together?
> >
> > squid 2.5stable4 on Redhat 9
> > kerberos 1.3.1
> > Samba V3
> >
> > Windows PDC on W2K
> >
>
> This looks pretty normal.
>
> Andrew Bartlett
Thanks,
Dave
More information about the samba-technical
mailing list