[squid-users] User got domain login dialog box prompt, when number of user more than 250++
wong237ma at yahoo.com
wong237ma at yahoo.com
Tue Jun 17 10:21:17 UTC 2025
Hi Amos,
can help to give configure example for external helper ext_kerberos_ldap_group_acl, since this help is faster compare to ext_wbinfo_group_acl.
Thank you.
On Tuesday, June 17, 2025 at 03:41:58 AM GMT+8, Amos Jeffries <squid3 at treenet.co.nz> wrote:
On 16/06/25 16:25, wong237ma wrote:
> Hi Amos,
>
> Thank for your replied.
>
> > FTR; the login prompt is not coming from Squid. The client Browser
> > decides where to get credentials from - the popup is one source, current
> > machine login another, there may be sources as well.
>
> Our laptop is joined domain. I thought browser will use AD ticket TGT,
> (which I can view by klist)? not like this?
>
> > Since you are SSL-Bump'ing traffic - whatever result the initial CONNECT
> > request credentials were given when the TLS began will be used until
> > that TLS connection closes.
>
> I configure Bumping github website only, the rest of the traffic not
> decrypt.
>
> > Secondly the auth helper "negative-ttl=900" (from config below) value
> > will make Squid only check for different results on new connections
> > started 900+ seconds after the first one was rejected.
>
> squid-cache by default is one hour, so I think I configure 15 mins,
> which less compare to one hour, not sure whether correct or not.
>
> > Do you still actually **need** NTLM ?
> > It has been deprecated for 19 years already, and Windows software has
> > progressively been removing the ability to use it.
>
> Yes, we are using Kerberos, NTLM and basic are for those legacy
> application, I think.
Nod. Just pointing out that its something to check if actually needed.
Removal will help avoid problems - if possible.
>
> > The Kerberos auth helper bundled with Squid delivers "group="
> > annotations back to Squid that can be quickly checked instead of using
> > extra helper lookups.
>
> you mean i can use this helper: ext_kerberos_ldap_group_acl, am I right?
No, I literally mean the auth_param helper (negotiate_kerberos_auth) is
producing "group=" values that can be checked with 'note' type ACL
instead of 'external' type ACL .
That will halve the amount of helpers running, reduce Squid memory needs
by whatever those helpers were using, halve the load on ActiveDirectory,
and halve the transaction time for access to the proxy.
IF any of those things were contributing to your problem (likely) then
you should see the problem move from 200-ish up to something higher.
> I will try out, since ChatGPT also mention auth faster compare to
> ext_wbinfo_group_acl.
>
> Question: Is this main problem?
>
> > FYI, notice that Squid is automatically including all the config files
> > in the directory /etc/squid/conf.d/
>
> yes, it is just a easier manage for me.
>
> I have go through your replied several times and I try to digest.
> My main problem here is that when user hit around 200++, user will
> prompt out proxy login dialog box ask user to login.
>
> Is there anyway to find out issues?
You mentioned nothing occuring in the Squid logs. So that easy way is
closed.
The alternative is to watch;
a) how much memory is being used by Squid and helpers to see if the
problem is running out of resources,
b) traffic to find out what types of credentials are being sent to
Squid and not being accepted (rejection may be the trigger for dialog
boxes),
c) check logs on your ActiveDirectory for similar things and also to
see if there is a limit being reached there.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250617/3f803789/attachment.htm>
More information about the squid-users
mailing list