Can you share squid.conf relevant lines? Thanks, Eliezer
On 27/11/13 14:41, Berthold Zettler wrote:
Hello to all, we are using squid as a authentication proxy with kerberos/ldap-helpers. This works fine, but (few) users can't be authenticated by the squid (kerberos-helper). Further investigation are showing a possible relationship to the tokensize (computed with the MS-Tool tokensz.exe) of these users. Our squid (Version 3.3.10) has been compiled with the following options: --> --disable-strict-error-checking' '--with-build-environment=default' '--prefix=/opt/squid-cit' '--enable-storeio=aufs,diskd,ufs' '--enable-internal-dns' '--enable-auth' '--enable-auth-negotiate=kerberos' '--enable-auth-basic=LDAP' '--enable-external-acl-helpers=LDAP_group,kerberos_ldap_group' '--with-maxfd=16384' '--enable-delay-pools' '--with-aufs-threads=30' '--with-large-files' '--enable-ssl' <-- The OS is a SLES 11 SP1 (Kernel Version 2.6.32.54-0.3-default). How to reproduce the error: No Access: When the user is member of many groups in the AD (ActiceDirectory), we see, that he has no access to the webserver. If if we start the helper (negotiate_kerberos_auth) with -d, we have no additional info in the cache.log. We had to enable debugging (squid -k debug) to see some information. In this case the tokensize was 27332. Access: If the same user reduces his number of groups (tokensize 12252), he can access the website. What can be done to debug/solve this problem? kg Berthold
