This is with Squid 2.5.STABLE3 and Samba 2.2.8a. NTLM authentication is working for the most part, but every so often a user is prompted with a basic password for some reason. After searching through the archives here I increased logging for 33 (debug_options ALL,1 33,2).
I don't see any evidence of the client breaking the connection here in cache.log: 2003/06/30 15:54:38| The request GET http://www.marriott.com/shared/Images/headers/tab_rewards.gif is ALLOWED, because it matched 'NTauth' 2003/06/30 15:54:38| The reply for GET http://www.marriott.com/shared/Images/headers/tab_events_meetings.gif is ALLOWED, because it matched 'all' 2003/06/30 15:54:38| The request GET http://www.marriott.com/shared/Images/headers/tabRoll_find_reserve.gif is ALLOWED, because it matched 'NTauth' 2003/06/30 15:54:38| The reply for GET http://www.marriott.com/shared/Images/headers/tab_rewards.gif is ALLOWED, because it matched 'all' 2003/06/30 15:54:38| The request GET http://www.marriott.com/shared/Images/headers/tabRoll_specials_packages. gif is ALLOWED, because it matched 'NTauth' 2003/06/30 15:54:38| AuthenticateNTLMHandleReply: invalid callback data. Releasing helper '0x64b718'. 2003/06/30 15:54:38| The request GET http://www.marriott.com/images/home/packGolf_pic.jpg is ALLOWED, because it matched 'NTauth' 2003/06/30 15:54:38| The reply for GET http://www.marriott.com/shared/Images/headers/tabRoll_find_reserve.gif is ALLOWED, because it matched 'all' 2003/06/30 15:54:38| The request GET http://www.marriott.com/shared/Images/headers/tabRoll_explore_plan.gif is ALLOWED, because it matched 'NTauth' 2003/06/30 15:54:38| The reply for GET http://www.marriott.com/shared/Images/headers/tabRoll_specials_packages. gif is ALLOWED, because it matched 'all' Both an hour earlier and an hour later I see "helperStatefulDefer: None available." Messages. Then I see 2003/06/30 17:05:28| helperStatefulDefer: None available. 2003/06/30 17:05:28| WARNING: All ntlmauthenticator processes are busy. 2003/06/30 17:05:28| WARNING: 10 pending requests queued 2003/06/30 17:05:28| Consider increasing the number of ntlmauthenticator process es in your config file. Later on I have more invalid callback data messages, and I probably had about 15 more before the day was over. 2003/06/30 19:47:34| The reply for GET http://by4fd.bay4.hotmail.msn.com/cgi-bin /HoTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is ALLOWED, becau se it matched 'all' 2003/06/30 19:47:34| The request GET http://by4fd.bay4.hotmail.msn.com/cgi-bin/H oTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is DENIED, because it matched 'NTauth' 2003/06/30 19:47:34| The reply for GET http://by4fd.bay4.hotmail.msn.com/cgi-bin /HoTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is ALLOWED, becau se it matched 'all' 2003/06/30 19:47:39| AuthenticateNTLMHandleReply: invalid callback data. Releasi ng helper '0x64b718'. 2003/06/30 19:47:41| AuthenticateNTLMHandleReply: invalid callback data. Releasi ng helper '0x64d7c8'. 2003/06/30 19:47:41| AuthenticateNTLMHandleReply: invalid callback data. Releasi ng helper '0x64f878'. 2003/06/30 19:47:41| The request GET http://by4fd.bay4.hotmail.msn.com/cgi-bin/H oTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is ALLOWED, because it matched 'NTauth' 2003/06/30 19:47:41| The reply for GET http://by4fd.bay4.hotmail.msn.com/cgi-bin /HoTMaiL?curmbox=F000000001&a=8503c9fa6a0e6effb517097f18d66bc0 is ALLOWED, becau se it matched 'all' In squid.conf I have auth_param ntlm program /usr/lib/squid/wb_ntlmauth auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes This is with only 20 users... is bumping auth_param ntlm children up to the maximum of 32 really the solution? Eventually we expect to have a few hundred users on this. After seeing http://www.squid-cache.org/mail-archive/squid-dev/200305/0051.html I wonder if there is something else wrong? Thanks for any info, ~ Daniel ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
