[squid-users] Kerberos - Cannot decrypt ticket for HTTP

Thu Nov 17 02:06:34 UTC 2022

Hi

perhaps this one
https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket


Le 16/11/2022 à 05:11, Михаил a écrit :
> Hi everybody,
> Could you help me to setup my new squid server? I have a problem with 
> keytab authorization.
> 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating user. 
> Result: {result=BH, notes={message: gss_accept_sec_context() failed: 
> Unspecified GSS failure.  Minor code may provide more information. 
> Cannot decrypt ticket for HTTP/uisproxy-rop.***.***.corp@***.***.CORP 
> using keytab key for HTTP/uisproxy-rop.***.***.corp@***.**.CORP; }}
> Got NTLMSSP neg_flags=0xe2088297
> 2022/11/16 11:35:40| ERROR: Negotiate Authentication validating user. 
> Result: {result=BH, notes={message: gss_accept_sec_context() failed: 
> Unspecified GSS failure.  Minor code may provide more information. 
> Cannot decrypt ticket for HTTP/uisproxy-rop.***.***.corp@***.***.CORP 
> using keytab key for HTTP/uisproxy-rop.***.***.corp@***.***.CORP; }}
> # kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab 
> HTTP/uisproxy-rop.***.***.corp
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/uisproxy-rop.***.***.corp@***.***.CORP
> Using keytab: /etc/squid/keytab/uisproxy-rop-t.keytab
> Authenticated to Kerberos v5
> # klist -ke /etc/squid/keytab/uisproxy-rop-t.keytab
> Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    3 uisproxy-rop-t$@***.***.CORP (arcfour-hmac)
>    3 uisproxy-rop-t$@***.***.CORP (aes128-cts-hmac-sha1-96)
>    3 uisproxy-rop-t$@***.***.CORP (aes256-cts-hmac-sha1-96)
>    3 UISPROXY-ROP-T$@***.***.CORP (arcfour-hmac)
>    3 UISPROXY-ROP-T$@***.***.CORP (aes128-cts-hmac-sha1-96)
>    3 UISPROXY-ROP-T$@***.***.CORP (aes256-cts-hmac-sha1-96)
>    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (arcfour-hmac)
>    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes128-cts-hmac-sha1-96)
>    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes256-cts-hmac-sha1-96)
>    3 host/uisproxy-rop@***.***.CORP (arcfour-hmac)
>    3 host/uisproxy-rop@***.***.CORP (aes128-cts-hmac-sha1-96)
>    3 host/uisproxy-rop@***.***.CORP (aes256-cts-hmac-sha1-96)
> # klist -kt
> Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> KVNO Timestamp           Principal
> ---- ------------------- 
> ------------------------------------------------------
>    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
>    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
>    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
>    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
>    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
>    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
>    3 11/16/2022 11:30:50 HTTP/uisproxy-rop.***.***.corp@***.***.CORP
>    3 11/16/2022 11:30:50 HTTP/uisproxy-rop.***.***.corp@***.***.CORP
>    3 11/16/2022 11:30:50 HTTP/uisproxy-rop.***.***.corp@***.***.CORP
>    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
>    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
>    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www:https://wiki.articatech.com
www:http://articatech.net  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221117/fa648815/attachment.htm>