<html><head></head><body><div class="ydpd9ec32b6yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">Hi Amos,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">can help to give configure example for external helper <span>ext_kerberos_ldap_group_acl, since this help is faster compare to <span>ext_wbinfo_group_acl.</span></span></div><div dir="ltr" data-setdir="false"><span><span><br></span></span></div><div dir="ltr" data-setdir="false"><span><span>Thank you.</span></span></div><div><br></div>
</div><div id="yahoo_quoted_0814840433" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Tuesday, June 17, 2025 at 03:41:58 AM GMT+8, Amos Jeffries <squid3@treenet.co.nz> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">On 16/06/25 16:25, wong237ma wrote:<br clear="none">> Hi Amos,<br clear="none">> <br clear="none">> Thank for your replied.<br clear="none">> <br clear="none">> > FTR; the login prompt is not coming from Squid. The client Browser<br clear="none">> > decides where to get credentials from - the popup is one source, current<br clear="none">> > machine login another, there may be sources as well.<br clear="none">> <br clear="none">> Our laptop is joined domain. I thought browser will use AD ticket TGT, <br clear="none">> (which I can view by klist)? not like this?<br clear="none">> <br clear="none">> > Since you are SSL-Bump'ing traffic - whatever result the initial CONNECT<br clear="none">> > request credentials were given when the TLS began will be used until<br clear="none">> > that TLS connection closes.<br clear="none">> <br clear="none">> I configure Bumping github website only, the rest of the traffic not <br clear="none">> decrypt.<br clear="none">> <br clear="none">> > Secondly the auth helper "negative-ttl=900" (from config below) value<br clear="none">> > will make Squid only check for different results on new connections<br clear="none">> > started 900+ seconds after the first one was rejected.<br clear="none">> <br clear="none">> squid-cache by default is one hour, so I think I configure 15 mins, <br clear="none">> which less compare to one hour, not sure whether correct or not.<br clear="none">> <br clear="none">> > Do you still actually **need** NTLM ?<br clear="none">> > It has been deprecated for 19 years already, and Windows software has<br clear="none">> > progressively been removing the ability to use it.<br clear="none">> <br clear="none">> Yes, we are using Kerberos, NTLM and basic are for those legacy <br clear="none">> application, I think.<br clear="none"><br clear="none">Nod. Just pointing out that its something to check if actually needed. <br clear="none">Removal will help avoid problems - if possible.<br clear="none"><br clear="none"><br clear="none">> <br clear="none">> > The Kerberos auth helper bundled with Squid delivers "group="<br clear="none">> > annotations back to Squid that can be quickly checked instead of using<br clear="none">> > extra helper lookups.<br clear="none">> <br clear="none">> you mean i can use this helper: ext_kerberos_ldap_group_acl, am I right? <br clear="none"><br clear="none">No, I literally mean the auth_param helper (negotiate_kerberos_auth) is <br clear="none">producing "group=" values that can be checked with 'note' type ACL <br clear="none">instead of 'external' type ACL .<br clear="none"><br clear="none">That will halve the amount of helpers running, reduce Squid memory needs <br clear="none">by whatever those helpers were using, halve the load on ActiveDirectory, <br clear="none">and halve the transaction time for access to the proxy.<br clear="none">IF any of those things were contributing to your problem (likely) then <br clear="none">you should see the problem move from 200-ish up to something higher.<br clear="none"><br clear="none"><br clear="none">> I will try out, since ChatGPT also mention auth faster compare to <br clear="none">> ext_wbinfo_group_acl.<br clear="none">> <br clear="none">> Question: Is this main problem?<br clear="none">> <br clear="none">> > FYI, notice that Squid is automatically including all the config files<br clear="none">> > in the directory /etc/squid/conf.d/<br clear="none">> <br clear="none">> yes, it is just a easier manage for me.<br clear="none">> <br clear="none">> I have go through your replied several times and I try to digest.<br clear="none">> My main problem here is that when user hit around 200++, user will <br clear="none">> prompt out proxy login dialog box ask user to login.<br clear="none">> <br clear="none">> Is there anyway to find out issues?<br clear="none"><br clear="none"><br clear="none">You mentioned nothing occuring in the Squid logs. So that easy way is <br clear="none">closed.<br clear="none"><br clear="none">The alternative is to watch;<br clear="none"><br clear="none"> a) how much memory is being used by Squid and helpers to see if the <br clear="none">problem is running out of resources,<br clear="none"><br clear="none"> b) traffic to find out what types of credentials are being sent to <br clear="none">Squid and not being accepted (rejection may be the trigger for dialog <br clear="none">boxes),<br clear="none"><br clear="none"> c) check logs on your ActiveDirectory for similar things and also to <br clear="none">see if there is a limit being reached there.<div class="yqt1569118595" id="yqtfd08324"><br clear="none"><br clear="none"><br clear="none">HTH<br clear="none">Amos<br clear="none"><br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="https://lists.squid-cache.org/listinfo/squid-users" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br clear="none"></div></div></div>
</div>
</div></body></html>