[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Victor Sudakov
sudakov at sibptus.tomsk.ru
Sat Oct 11 04:46:26 UTC 2014
Markus Moeller wrote:
>
> > What if the service principal's name in squid's keytab does not
> > coincide with the host's primary FQDN (AKA `hostname`)?
> >
> > E.g. the squid's keytab contains keys for HTTP/proxy.my.domain while
> > the server's actual FQDN is fw.my.domain?
> >
> > Should it cause the obscure error I have stumbled upon?
> I think it could. Can you try the option -s GSS_C_NO_NAME ?
Thank you, Markus! With "-s GSS_C_NO_NAME" it works, at least with the
negotiate_kerberos_auth_test client. I will try later with real hosts
and browsers, though.
I should have guessed this before. The server's `hostname` is
"big.sibptus.transneft.ru", while "proxy.sibptus.transneft.ru" is an A
record pointing to another IP alias of the same server.
If only the Kerberos error message was more informative, something
like "principal not found in the keytab" instead of "mech unknown", I
would have guessed this long ago and would have spared myself a week
of tribulation.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list