Can you share squid.conf relevant lines?
Thanks,
Eliezer
On 27/11/13 14:41, Berthold Zettler wrote:
> Hello to all,
>
> we are using squid as a authentication proxy with kerberos/ldap-helpers.
> This works fine, but (few) users can't be authenticated by the squid (kerberos-helper).
>
> Further investigation are showing a possible relationship to the tokensize (computed with the MS-Tool tokensz.exe) of these users.
>
> Our squid (Version 3.3.10) has been compiled with the following options:
>
> -->
> --disable-strict-error-checking' '--with-build-environment=default' '--prefix=/opt/squid-cit' '--enable-storeio=aufs,diskd,ufs' '--enable-internal-dns' '--enable-auth' '--enable-auth-negotiate=kerberos' '--enable-auth-basic=LDAP' '--enable-external-acl-helpers=LDAP_group,kerberos_ldap_group' '--with-maxfd=16384' '--enable-delay-pools' '--with-aufs-threads=30' '--with-large-files' '--enable-ssl'
> <--
>
> The OS is a SLES 11 SP1 (Kernel Version 2.6.32.54-0.3-default).
>
>
> How to reproduce the error:
>
> No Access:
> When the user is member of many groups in the AD (ActiceDirectory), we see, that he has no access to the webserver. If if we start the helper (negotiate_kerberos_auth) with -d, we have no additional info in the cache.log. We had to enable debugging (squid -k debug) to see some information. In this case the tokensize was 27332.
>
>
> Access:
> If the same user reduces his number of groups (tokensize 12252), he can access the website.
>
>
>
> What can be done to debug/solve this problem?
>
> kg
>
> Berthold
>
Received on Wed Nov 27 2013 - 18:58:56 MST
This archive was generated by hypermail 2.2.0 : Thu Nov 28 2013 - 12:00:06 MST