On 30/03/19 3:30 am, Alex Gutiérrez Martínez wrote: > Hello Community, I just compiled my squid 4. Everything works fine > except integration to the Kerberos authentication server. > > I have already managed to integrate my ubuntu with the kerberos and the > tickets are created correctly. Here i leave my configuration of the auth > in the squid > ############################################################################################### > auth_param negotiate program / usr / lib / squid / > negotiate_kerberos_auth -d -s HTTP / proxy.empresa.cu > auth_param negotiate children 1000 Why 1000? This looks to me like a number one would be forced to use for NTLM auth due to how painfully slow NTLM is. Kerberos can easily handle several orders of magnitude more traffic per helper than NTLM. So you can possibly cut that down to 10 or 100 depending on how many TCP connections are being handled per-second in production traffic. > auth_param negotiate keep_alive on > > external_acl_type kerberos_group ttl = 3600 negative_ttl = 3600% LOGIN / > usr / lib / squid / ext_kerberos_ldap_group_acl -a -g Internet_access -D > EMPRESA.CU > Missing details of squid.conf acl and access control directives. http_access in particular, but also any others using the auth ACLs. > ############################################################################################### > in this case my domain is EMPRESA.CU > > but i been unable to log in > > this is the cache log > > 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/1000 > 'negotiate_kerberos_auth' processes > 2019/03/28 09:46:47 kid1| helperStatefulOpenServers: No > 'negotiate_kerberos_auth' processes needed. > 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/5 > 'ext_kerberos_ldap_group_acl' processes > 2019/03/28 09:46:47 kid1| helperOpenServers: No > 'ext_kerberos_ldap_group_acl' processes needed. > 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/5 > 'ext_kerberos_ldap_group_acl' processes > 2019/03/28 09:46:47 kid1| helperOpenServers: No > 'ext_kerberos_ldap_group_acl' processes needed. Notice the word *needed*. Current Squid default only start helpers when traffic actually needs them. If you have a proxy with a very large memory footprint when running, that default may be sub-optimal. The 'startup' and 'idle' parameters are for tuning that. <http://www.squid-cache.org/Doc/config/auth_param/> <http://www.squid-cache.org/Doc/config/external_acl_type/> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
