[squid-users] kerberos authentication with a machine account doesn't work

Mon Jan 11 23:28:44 UTC 2016

On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote:
> On 11/01/2016 2:48 p.m., LYMN wrote:
> >
> > I did manage to get this working, you did mention the correct solution
> > right down the end of your message.
> > 
> 
> Correct for you yes. That can happen when making half-blind guesses at
> what the problem actually is based on partial information. It might have
> been any of the issues mentioned or any of the solutions mentioned.
> Others in future may find differently depending on what they have mucked
> up or payed around with before asking.
> 

Yes, correct for me.  It indeed could be one or more of the suggestions
that were made.  Kerberos errors are such fun to debug made more so by
multiple problems causing the same error message.  I have had a
situation where I had a few different problems and it wasn't until I had
sorted them all that the error message went away but it is so unsettling
to get the same error after you have made a change that you are sure
makes things correct.

> > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote:
> >> Hai, 
> >>  
> >>
> >> Few things to check. 
> >>
> >> /etc/krb5.keytab should have rights 600 (root:root) 
> >>
> > 
> > And this was the problem but it should not, in my case, be as you
> > stated. In fact, /etc/krb5.keytab needed to have rights 640 with
> > ownership root:nobody.  This is because the kerberos authenticator runs
> > as the user nobody and needs access to the keytab.  I am not so sure I
> > like this situation because this does mean the nobody user now has
> > access to the machine kerberos keys not just the ones for the http SPN.
> 
> "nobody" is the default low-privileged user account unless you build
> Squid with the --with-default-user=X - in which cases it will default to
> the "X" account.
> 
> You can also configure "cache_effective_user X" in squid.conf to
> override the default if your Squid was built with one you dont want to use.
> 

Yes.  I think you have clarified the point that I was trying to make
which was the user/group used may depend on your configuration or squid
build.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

    BAE Systems Australia Limited - Australian Company Number 008 423 005
    BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
    BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.