Berthold if you look in squid-3.3.10/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc the define states #ifndef MAX_AUTHTOKEN_LEN #define MAX_AUTHTOKEN_LEN 65535 #endif which makes it look as if it is probably not squid's helper app that has the issue .. default WINDOWS token size is somewhere in windows registry set at 12000 you should make certain that you have changed the windows registry value to 65535 in Decimal or FFFFF in Hex in your windows server registry if using an AD farm you will have to do it to every AD Domain Controller- manually -----Original Message----- From: Berthold Zettler <zettler.berthold@xxxxxx> To: squid-users@xxxxxxxxxxxxxxx Subject: Kerberos / Authentication / squid Date: Wed, 27 Nov 2013 13:41:09 +0100 (CET) Hello to all, we are using squid as a authentication proxy with kerberos/ldap-helpers. This works fine, but (few) users can't be authenticated by the squid (kerberos-helper). Further investigation are showing a possible relationship to the tokensize (computed with the MS-Tool tokensz.exe) of these users. Our squid (Version 3.3.10) has been compiled with the following options: --> --disable-strict-error-checking' '--with-build-environment=default' '--prefix=/opt/squid-cit' '--enable-storeio=aufs,diskd,ufs' '--enable-internal-dns' '--enable-auth' '--enable-auth-negotiate=kerberos' '--enable-auth-basic=LDAP' '--enable-external-acl-helpers=LDAP_group,kerberos_ldap_group' '--with-maxfd=16384' '--enable-delay-pools' '--with-aufs-threads=30' '--with-large-files' '--enable-ssl' <-- The OS is a SLES 11 SP1 (Kernel Version 2.6.32.54-0.3-default). How to reproduce the error: No Access: When the user is member of many groups in the AD (ActiceDirectory), we see, that he has no access to the webserver. If if we start the helper (negotiate_kerberos_auth) with -d, we have no additional info in the cache.log. We had to enable debugging (squid -k debug) to see some information. In this case the tokensize was 27332. Access: If the same user reduces his number of groups (tokensize 12252), he can access the website. What can be done to debug/solve this problem? kg Berthold
