How to win periodic Access Denid from squida?

Configure squid with kerberos authentication. All computers in the freeipa domain. According to the documentation did need a keytab.
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d-s HTTP/squid01.example.com

Authentication passes, everything is fine.
Then I need to distinguish between access to the Internet.
ipa_inet_full external_acl_type ttl=300 negative_ttl=60 ipv4 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -a-d -g inet_full@ -D example.com

And then start dancing with a tambourine. For the most part, helper correctly identifies the user to the group, but occasionally gives the ERR and then the access fails. Then working again.
Because in the logs at this point, you can see it failed to the authenticated user, the case in the helper.
How to overcome?
June 26th 19 at 13:56
2 answers
June 26th 19 at 13:58
Solution
In General, the issue is resolved. It wasn't the helper, and in curve setup freeipa. Is there some kind of compat mode, it is not clear what is needed. So... When migrating to freeipa c openldap I have openfire did not want there users to drag - supposedly they zadavayte (which is true because users in freeipa are stored in two branches -
cn=users,cn=accounts,cn=domain,cn=lan cn=users,cn=compat,cn=domain,cn=lan
). I'm on the same server, this mode is disabled. Somehow become helper on this server only the GID of the user to verify the ownership and all other groups were ignored, even though ldapsearch worked fine. Where mode is enabled everything is OK. A proper ldap filter for openfire I didn't - too lazy. Simply stated:
/lib64/squid/ext_kerberos_ldap_group_acl -a-g inet_full@ -D fs.lan -S "dc.fs.lan dc2.fs.lan dc4.fs.lan"

As I understand it, getting the ERR on the first server, the helper climbs down the list. The other 2 work properly, then everything is fine. Maybe later will make openfire with ipa-compat-manage enable to work.
June 26th 19 at 14:00
auth_param negotiate children - probably not enough. Or with a stream of queries unable to cope AD.
children set to 100, while test users less than 10.
You probably haven't noticed, but HELL I have. All clients on linux, kerberos via freeipa. - paul_Harb commented on June 26th 19 at 14:03
Yes, missed the point. The idea was that the server (kerberos) can not cope with the number of queries, because the problem last minute and not very large number of users, the number of instances of the helper. - nikita.Stracke commented on June 26th 19 at 14:06
Did the moment from here - negative_ttl=60?
I tested the helper manually, the same situation. Periodically receive ERR and accordingly it failed.
I think all the same in the helper business. - paul_Harb commented on June 26th 19 at 14:09
This cache settings
ttl=n TTL in seconds for cached results (defaults to 3600 for 1 hour)
negative_ttl=n TTL for cached negative lookups (default same as ttl) - nikita.Stracke commented on June 26th 19 at 14:12

Find more questions by tags KerberosSquid