Known Squid and NTLM authentication Issues

Last Modified: 1-May-2009; 17:02 WST; adrian

This document aims to document known issues with Squid and NTLM authentication.

Background

Squid does not implement NTLM authentication itself. It handles enough of the protocol to track state and message types; it then punts the authentication handling to Samba. This means that tracking down NTLM authentication related issues involves debugging both Squid and Samba.

Known issues with Winbind

Limitations with concurrent lookups

winbind is limited to 200 concurrent clients (defined in include/local.h as WINBINDD_MAX_SIMULTANEOUS_CLIENTS. This limits the number of authentication helper processes which Squid can use.

Winbind logs a rather unhelpful message:

[2009/04/29 10:57:46, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(488)
  winbindd_pam_auth_crap: non-privileged access denied.  !
    winbindd_pam_auth_crap: Ensure permissions on
    /usr/local/samba/var/locks/winbindd_privileged are set correctly.

It then sends NT_STATUS_ACCESS_DENIED to Squid which denies the user access.

To work around this behaviour, make sure you configure no more than 150 ntlm_auth helpers.

References