[squid-users] kerberos

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 31 04:22:19 UTC 2019


On 30/03/19 3:30 am, Alex Gutiérrez Martínez wrote:
> Hello Community, I just compiled my squid 4. Everything works fine
> except integration to the Kerberos authentication server.
> 
> I have already managed to integrate my ubuntu with the kerberos and the
> tickets are created correctly. Here i leave my configuration of the auth
> in the squid
> ###############################################################################################
> auth_param negotiate program / usr / lib / squid /
> negotiate_kerberos_auth -d -s HTTP / proxy.empresa.cu
> auth_param negotiate children 1000

Why 1000? This looks to me like a number one would be forced to use for
NTLM auth due to how painfully slow NTLM is.

Kerberos can easily handle several orders of magnitude more traffic per
helper than NTLM. So you can possibly cut that down to 10 or 100
depending on how many TCP connections are being handled per-second in
production traffic.



> auth_param negotiate keep_alive on
> 
> external_acl_type kerberos_group ttl = 3600 negative_ttl = 3600% LOGIN /
> usr / lib / squid / ext_kerberos_ldap_group_acl -a -g Internet_access -D
> EMPRESA.CU
> 

Missing details of squid.conf acl and access control directives.
http_access in particular, but also any others using the auth ACLs.


> ###############################################################################################
> in this case my domain is EMPRESA.CU
> 
> but i been unable to log in
> 
> this is the cache log
> 
> 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/1000
> 'negotiate_kerberos_auth' processes
> 2019/03/28 09:46:47 kid1| helperStatefulOpenServers: No
> 'negotiate_kerberos_auth' processes needed.
> 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/5
> 'ext_kerberos_ldap_group_acl' processes
> 2019/03/28 09:46:47 kid1| helperOpenServers: No
> 'ext_kerberos_ldap_group_acl' processes needed.
> 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/5
> 'ext_kerberos_ldap_group_acl' processes
> 2019/03/28 09:46:47 kid1| helperOpenServers: No
> 'ext_kerberos_ldap_group_acl' processes needed.

Notice the word *needed*.


Current Squid default only start helpers when traffic actually needs them.

If you have a proxy with a very large memory footprint when running,
that default may be sub-optimal. The 'startup' and 'idle' parameters are
for tuning that.
 <http://www.squid-cache.org/Doc/config/auth_param/>
 <http://www.squid-cache.org/Doc/config/external_acl_type/>


Amos


More information about the squid-users mailing list