Hi. On 04.09.2013 11:01, Markus Moeller wrote: > >> Are you still interested in tcpdump captures you mentioned in previous >> letter ? >> > > Yes I would still like to see it. > (looks like for some reason mailing list tracker ate this message - my relay says it's send, but it doesn't appear in the mailing list, probably because of the URLs it was marked as spam, so here's the copy I'm sending to you directly.) Here's the pcap capture: http://unix.zhegan.in/files/ext_kerberos_ldap_group_acl.pcap Console log for the exchange: http://unix.zhegan.in/files/ext_kerberos_ldap_group_acl.txt The capture contains network exchange from the following sequence of actions: - tcpdump was started as 'tcpdump -s 0 -w ext_kerberos_ldap_group_acl.pcap -ni vlan1 port 53 or port 389 or port 88' - helper was started in shell, arguments: /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ -i \ -a \ -m 16 \ -d \ -D NORMA.COM \ -b cn=Users,dc=norma,dc=com \ -u proxy5-backup \ -p XXXXXXXXXXXX \ -N SOFTLAB@xxxxxxxxx \ -S hq-gc.norma.com@xxxxxxxxx - line 'emz Internet%20Users%20-%20Proxy1' was typed 5 times (5 'OK' answers were received). - helper was stopped - tcpdump was stopped >From my point of view the initial pause and the subsequent ones are the same. Addresses: 192.168.13.3 - the address of a machine where the helper was ran 192.168.3.45 - one of the AD controllers The machine was idle for the time of the experiment (this is a backup gateway with VRRP, in inactive state). This machine has a named ran, and it's resolver uses it via lo0 interface, so no DNS exchange can be seen, as all of the answers were cached by named. If seeing DNS exchange is vital for understanding the pause, I can probably recapture the exchange using external DNS. Eugene.