[squid-users] Squid - Kerberos - update keytab issue

Mon Mar 23 15:01:10 UTC 2020

Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30
days, my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k
/etc/squid/squid.keytab

Below log I have every run (when everything is ok):

*samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the
computer password structure -- generate_new_password: Generating a new,
random password for the computer account -- generate_new_password:
Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find
Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for
procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local --
get_dc_host: Canonicalizing DC through forward/reverse lookup... --
get_dc_host: Found Domain Controller: xxxxxxxx.xxxxxxxxxx.local --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context --
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ:
Trying to authenticate for KRB-PROX$ from local keytab... --
switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using
method 1 -- LDAPConnection: Connecting to LDAP server:
xxxxxxxxxx.xxxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default
LDAP base: dc=xxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default
OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet:
pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago.
-- execute: Exiting because password was changed recently. -- ~KRB5Context:
Destroying Kerberos Context*

Below logs when things gone bad:

*lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the
computer password structure -- generate_new_password: Generating a new,
random password for the computer account -- generate_new_password:
Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find
Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for
procotol tcp -- get_dc_host: Found DC: xxxxxxxxxxxx.xxxxxxxxxxx.local --
get_dc_host: Canonicalizing DC through forward/reverse lookup... --
get_dc_host: Found Domain Controller: xxxxxxxxxxxx.xxxxxxxxxxx.local --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context --
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ:
Trying to authenticate for KRB-PROX$ from local keytab... --
switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using
method 1 -- LDAPConnection: Connecting to LDAP server:
xxxxxxxxxxxx.xxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default
LDAP base: dc=xxxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining
default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local --
ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password
last set 30 days ago. -- ldap_check_account: Checking that a computer
account for KRB-PROX$ exists -- ldap_check_account: Checking computer
account - found -- ldap_check_account: Found userAccountControl = 0x1000 --
ldap_check_account: Found supportedEncryptionTypes = 28 --
ldap_check_account: Found dNSHostName = xxxxxxxx.xxxxxxxxxxx.local --
ldap_check_account: Found Principal: HTTP/xxxxxxxxxx.xxxxxxxxxxx.local --
ldap_check_account: Found User Principal:
HTTP/proxy.xxxxxxxxxxxxxxxxx.local -- ldap_check_account_strings:
Inspecting (and updating) computer account attributes --
ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28 --
ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not
changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to
reset computer's password -- set_password: Try using keytab for KRB-PROX$
to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214
-- set_password: krb5_change_password failed using keytab: (3)
Authentication error -- ~KRB5Context: Destroying Kerberos Context*

*lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the
computer password structure -- generate_new_password: Generating a new,
random password for the computer account -- generate_new_password:
Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find
Domain Controller to use via DNS SRV record in domain xxxxxxxxx.LOCAL for
procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local --
get_dc_host: Canonicalizing DC through forward/reverse lookup... --
get_dc_host: Found Domain Controller: xxxxxxxxxx.xxxxxxx.local --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context --
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ:
Trying to authenticate for KRB-PROX$ from local keytab... --
try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed) -- try_machine_keytab_princ: Authentication with
keytab failed -- try_machine_keytab_princ: Trying to authenticate for
KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Preauthentication failed) --
try_machine_keytab_princ: Authentication with keytab failed --
try_machine_keytab_princ: Trying to authenticate for
host/xxxxxxxxxxx.xxxxxxxxxx.local from local keytab... --
try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found) -- try_machine_keytab_princ: Authentication with
keytab failed -- try_machine_password: Trying to authenticate for KRB-PROX$
with password. -- create_default_machine_password: Default machine password
for KRB-PROX$ is krb-prox -- try_machine_password: Error:
krb5_get_init_creds_keytab failed (Preauthentication failed) --
try_machine_password: Authentication with password failed --
try_user_creds: Checking if default ticket cache has tickets... --
finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting
to LDAP server: xxxxxxxxx.xxxxxxxxx.local -- ~KRB5Context: Destroying
Kerberos Context*

Technical information:
-Windows 2016 server (Kerberos)
-Squid 3-x
-msktutil version 1.0

Thanks for your help!

Seb

*Sébastien GENESTA*

System & Network Administrator

Avis Vérifiés
+334 13 25 81 70 <+334%1325%8170>
sebastien at avis-verifies.com
www.avis-verifies.com
[image: facebook] <https://www.facebook.com/avisverifies>
[image: twitter] <https://twitter.com/avis_verifies>
[image: linkedin] <https://fr.linkedin.com/showcase/avis-v%C3%A9rifi%C3%A9s>

[image:
https://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=url]
<https://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=url>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200323/755b5d49/attachment-0001.html>