Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example.org@xxxxxxxxxxx auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like user@xxxxxxxxxxxxxxxxx while it still works with user@xxxxxxxxxxx. In general it started to complain "ERROR: Error during setup of Kerberos credential cache" in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_13729 support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain SOUTH.EXAMPLE.ORG. support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/proxy.example.org@xxxxxxxxxxx support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found trusted principal name: HTTP/proxy.example.org@xxxxxxxxxxx support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got no principal name support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache support_member.cc(124): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: User ptimofeev is not member of group@domain OCS-DenyInternet-G@NULL kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: ERR
