[Samba] Enhancing NTLM Authentication to Remote Site Active Directory server
abartlet at samba.org
Thu Nov 3 04:23:23 MDT 2011
On Tue, 2011-11-01 at 11:56 +0200, Oguz Yilmaz wrote:
> We use NLTM Authentication with Squid is some setups.On those setup,
> local machine joins active directory and squid ntlm_auth helper
> authenticate through local samba service. Users transparently
> authenticate through NTLM authentication handshake on HTTP without
> entering any password in their browser.
> However, in some cases, branch offices has no local active directory
> server. Branch office is connected to the headquarters through a IPSEC
> vpn. I can make branch office samba to join to the headquarter active
> directory domain and set NTLM authentication on Squid up correctly.
> This setup has a weakness inherited from high latency, packet loss
> ofsome other things that I dont know about samba. 3-4 times in a
> dayusers get prompted with user name password authentication popup
> ontheir browser. Sometimes this recovered naturally in a few
> minutes.However, it requires rejoining to the domain in come cases.
> (wbinfo -tgives error and wbinfo -l can not list users).
> I have made some tunings in samba:
> getwd cache = yes
> winbind cache time = 3000
> ldap connection timeout = 10
> ldap timeout = 120
> Which other tunings can I do on samba and squid? I need your experiences.
None of these things can help, as we cannot cache authentication
details. The only way to speed things up is to run a Read Only DC, and
allow the local users to have their passwords cached on that DC.
That can be done with Samba4 or Windows 2008.
Technically, only other option would be to use kerberos to the proxy, as
that will not have the same latency. (However, the support in Samba for
this mode is poor at the moment).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba