samba - Dec 2014 - Samba 4 with squid3 (--helper-protocol=gss-spnego )

Hai, 
?
Im know this might not be the place to ask, but im doing it anyway..? ;-) 
?
Im testing an debian Jessie server with squid3 ( 3.4.8 )
Its running Debian Samba 4.1.13 with winbind. 
?
Im having troubles, to get the squid auth working. 
So my question is is someone here using kerberos authentication on squid. (
3.4.x )
Or someone who is using the gss-spnego helper protocol. 
?
Im using this line :? 
auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego

wbinfo -a testuser at REALM? works ok. 
wbinfo -a DOMAIN\\testuser? works also ok. 
?
ssh login with kerberos works also ok. 
?
I?did have the HTTP spn to the?hostname of the proxyserver? in the AD. 
?
I have these SPN's on the squid host. 
samba-tool spn list proxy3\$
User CN=proxy3,CN=Computers,DC=internal,DC=domain,DC=tld has the following
servicePrincipalName:
???? HOST/PROXY3???????? 
?????HOST/proxy3.internal.domain.tld
?????HTTP/proxy3.internal.domain.tld at REALM 
?
my keytab contains the spn's as shown above, all in 1 keytab file? (
/etc/krb5.keytab )
and for squid i added also the following : 
?
I added the proxy user to the winbindd_priv group 
i did set the keytab file to proxy:proxy? ( 400 ) 
and i added this in /etc/default/squid3 
KRB5_KTNAME=/etc/squid3/private/proxy3-HTTP.keytab
export KRB5_KTNAME

Which contains only the HTTP spn. 
?
?
So if anyone has any hint or thing i can test please tell me, that would be
nice...
google didnt help me, most of the things there are based on squid 3.1 and as of
3.3?
?--helper-protocol=gss-spnego? is also an option which look nicer to me. 
?
if i can get it to work ...? :-/?? 
?
?
?
Greetz, 
?
Louis
?
?
?
?