[squid-users] kerberos authentication with a machine account doesn't work

Thu Jan 7 04:23:24 UTC 2016

Hi,

We have been using kerberos authentication against Active Directory here
for a long time by using a SPN attached to a user account and exporting
the keytab.  The issue we have is that security policy mandates that
the password on the user account be changed which means we have to go
and regenerate keytabs every time this happens.  Not exactly difficult
but tedious nonetheless.

To avoid the password change I thought it may be an idea to use the
machine account and add a SPN (http/fqdn.is.here) to that.  I added:

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab

to the smb.conf so samba will manage the keytab for me then did:

net ads join
net ads keytab add http

klist -k shows me the principals that should be there and AD agrees they
exist.  I can get a TGT using:

kinit -k

without error (setting the UPN to host/fqdn.is.here at KERBEROS.REALM may
have helped this).  Doing a 

kinit -kS http/fqdn.is.here

works without error too.  So, I think kerberos is ok but with a squid
3.5.12 configured with negotiate_kerberos_auth I see the dreaded
message:

negotiate_kerberos_auth.cc(180): pid=4888 :2016/01/07 12:50:29| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. 

and only that, no minor code when I try to use the proxy with a browser
on a windows client.  Interestingly, doing a klist on the windows client
I can see a kerberos ticket for HTTP/fqdn.is.here that is for the proxy
I am testing.

Not sure what is missing here, I have a bee in my bonnet that this should
Just Work (tm) as the only real difference is that the SPN is attached
to a computer account not a user account - I would have thought as long
as the keytab is done correctly that this should not matter but clearly
something is not agreeing with me.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

    BAE Systems Australia Limited - Australian Company Number 008 423 005
    BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
    BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.