12.4. Questions and Answers
The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the adoption of ntlm_auth has spread considerably.
The largest report from a site that uses Squid with ntlm_auth-based authentication support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000 users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following comments were made with respect to questions regarding the performance of this installation:
[In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The "almost" part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
What does Samba have to do with Web proxy serving?
To provide transparent interoperability between Windows clients and the network services that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project.
The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his or her Windows logon credentials. This facility is available with MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server. There are a few open source initiatives to provide support for these protocols in the Apache Web server also.
The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
What other services does Samba provide?
Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the identity resolver daemon, winbindd.
Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products).
Does use of Samba (ntlm_auth) improve the performance of Squid?
Not really. Samba's ntlm_auth module handles only authentication. It requires that Squid make an external call to ntlm_auth and therefore actually incurs a little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide sufficient memory when using Squid. Just add a little more to accommodate ntlm_auth.