[squid-users] kerberos
Amos Jeffries
squid3 at treenet.co.nz
Sun Mar 31 04:22:19 UTC 2019
On 30/03/19 3:30 am, Alex Gutiérrez MartÃnez wrote:
> Hello Community, I just compiled my squid 4. Everything works fine
> except integration to the Kerberos authentication server.
>
> I have already managed to integrate my ubuntu with the kerberos and the
> tickets are created correctly. Here i leave my configuration of the auth
> in the squid
> ###############################################################################################
> auth_param negotiate program / usr / lib / squid /
> negotiate_kerberos_auth -d -s HTTP / proxy.empresa.cu
> auth_param negotiate children 1000
Why 1000? This looks to me like a number one would be forced to use for
NTLM auth due to how painfully slow NTLM is.
Kerberos can easily handle several orders of magnitude more traffic per
helper than NTLM. So you can possibly cut that down to 10 or 100
depending on how many TCP connections are being handled per-second in
production traffic.
> auth_param negotiate keep_alive on
>
> external_acl_type kerberos_group ttl = 3600 negative_ttl = 3600% LOGIN /
> usr / lib / squid / ext_kerberos_ldap_group_acl -a -g Internet_access -D
> EMPRESA.CU
>
Missing details of squid.conf acl and access control directives.
http_access in particular, but also any others using the auth ACLs.
> ###############################################################################################
> in this case my domain is EMPRESA.CU
>
> but i been unable to log in
>
> this is the cache log
>
> 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/1000
> 'negotiate_kerberos_auth' processes
> 2019/03/28 09:46:47 kid1| helperStatefulOpenServers: No
> 'negotiate_kerberos_auth' processes needed.
> 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/5
> 'ext_kerberos_ldap_group_acl' processes
> 2019/03/28 09:46:47 kid1| helperOpenServers: No
> 'ext_kerberos_ldap_group_acl' processes needed.
> 2019/03/28 09:46:47 kid1| helperOpenServers: Starting 0/5
> 'ext_kerberos_ldap_group_acl' processes
> 2019/03/28 09:46:47 kid1| helperOpenServers: No
> 'ext_kerberos_ldap_group_acl' processes needed.
Notice the word *needed*.
Current Squid default only start helpers when traffic actually needs them.
If you have a proxy with a very large memory footprint when running,
that default may be sub-optimal. The 'startup' and 'idle' parameters are
for tuning that.
<http://www.squid-cache.org/Doc/config/auth_param/>
<http://www.squid-cache.org/Doc/config/external_acl_type/>
Amos
More information about the squid-users
mailing list