[squid-users] kerberos authentication with a machine account doesn't work

Wed Jan 13 08:30:46 UTC 2016

Hi All,
i want to terminate a previous job did by ex colleague is changed
company. Now there is a cluster of 2 nodes of squid with NTLM
transparent authentication and one spare node i'm using as test and
configured with kerberos instead. Reading a lot of info i understood
kerberos is more stable than NTLM and my plan is to migrate the
production cluster to this kind of authentication. Configurations
(squid and kerberos) seem to be ok but everytime with browser i point
to squid i'm unable to go to internet, popup requires me credentials
but even i put the right ones it doesn't work. Coudl you help me?

2016-01-12 0:28 GMT+01:00 LYMN <brett.lymn at baesystems.com>:
> On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote:
>> On 11/01/2016 2:48 p.m., LYMN wrote:
>> >
>> > I did manage to get this working, you did mention the correct solution
>> > right down the end of your message.
>> >
>>
>> Correct for you yes. That can happen when making half-blind guesses at
>> what the problem actually is based on partial information. It might have
>> been any of the issues mentioned or any of the solutions mentioned.
>> Others in future may find differently depending on what they have mucked
>> up or payed around with before asking.
>>
>
> Yes, correct for me.  It indeed could be one or more of the suggestions
> that were made.  Kerberos errors are such fun to debug made more so by
> multiple problems causing the same error message.  I have had a
> situation where I had a few different problems and it wasn't until I had
> sorted them all that the error message went away but it is so unsettling
> to get the same error after you have made a change that you are sure
> makes things correct.
>
>> > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote:
>> >> Hai,
>> >>
>> >>
>> >> Few things to check.
>> >>
>> >> /etc/krb5.keytab should have rights 600 (root:root)
>> >>
>> >
>> > And this was the problem but it should not, in my case, be as you
>> > stated. In fact, /etc/krb5.keytab needed to have rights 640 with
>> > ownership root:nobody.  This is because the kerberos authenticator runs
>> > as the user nobody and needs access to the keytab.  I am not so sure I
>> > like this situation because this does mean the nobody user now has
>> > access to the machine kerberos keys not just the ones for the http SPN.
>>
>> "nobody" is the default low-privileged user account unless you build
>> Squid with the --with-default-user=X - in which cases it will default to
>> the "X" account.
>>
>> You can also configure "cache_effective_user X" in squid.conf to
>> override the default if your Squid was built with one you dont want to use.
>>
>
> Yes.  I think you have clarified the point that I was trying to make
> which was the user/group used may depend on your configuration or squid
> build.
>
> --
> Brett Lymn
> This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:
>
>     BAE Systems Australia Limited - Australian Company Number 008 423 005
>     BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
>     BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864
>
> Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
> Edinburgh, South Australia, 5111. If the identity of the sending company is
> not clear from the content of this email please contact the sender.
>
> This email and any attachments may contain confidential and legally
> privileged information.  If you are not the intended recipient, do not copy or
> disclose its content, but please reply to this email immediately and highlight
> the error to the sender and then immediately delete the message.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users