[squid-users] Kerberos - Cannot decrypt ticket for HTTP

Klaus Brandl klaus_brandl at genua.de
Fri Nov 18 14:22:35 UTC 2022 

which options do you have configured for the auth helper?
Something like:

auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i

Best regards

Klaus

Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил:
> Hi David,
>  
> Thanks for your advice but it doesn't help me. I use AD account which
> haven't set these parameters.
>  
> Misha.
>  
> 17.11.2022, 10:07, "David Touzeau" <david at articatech.com>:
> > Hi
> > 
> > perhaps this one
> > https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket
> > 
> >  
> > Le 16/11/2022 à 05:11, Михаил a écrit :
> > > Hi everybody,
> > >  
> > > Could you help me to setup my new squid server? I have a problem
> > > with keytab authorization.
> > >  
> > > 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating
> > > user. Result: {result=BH, notes={message:
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor
> > > code may provide more information. Cannot decrypt ticket for
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for
> > > HTTP/uisproxy-rop.***.***.corp@***.**.CORP; }}
> > > Got NTLMSSP neg_flags=0xe2088297
> > > 2022/11/16 11:35:40| ERROR: Negotiate Authentication validating
> > > user. Result: {result=BH, notes={message:
> > > gss_accept_sec_context() failed: Unspecified GSS failure.  Minor
> > > code may provide more information. Cannot decrypt ticket for
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP using keytab key for
> > > HTTP/uisproxy-rop.***.***.corp@***.***.CORP; }}
> > >  
> > > # kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab
> > > HTTP/uisproxy-rop.***.***.corp
> > > Using default cache: /tmp/krb5cc_0
> > > Using principal: HTTP/uisproxy-rop.***.***.corp@***.***.CORP
> > > Using keytab: /etc/squid/keytab/uisproxy-rop-t.keytab
> > > Authenticated to Kerberos v5
> > >  
> > > # klist -ke /etc/squid/keytab/uisproxy-rop-t.keytab
> > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> > > KVNO Principal
> > > ---- ------------------------------------------------------------
> > > --------------
> > >    3 uisproxy-rop-t$@***.***.CORP (arcfour-hmac)
> > >    3 uisproxy-rop-t$@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >    3 uisproxy-rop-t$@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >    3 UISPROXY-ROP-T$@***.***.CORP (arcfour-hmac)
> > >    3 UISPROXY-ROP-T$@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >    3 UISPROXY-ROP-T$@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (arcfour-hmac)
> > >    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes128-cts-
> > > hmac-sha1-96)
> > >    3 HTTP/uisproxy-rop.***.***.corp@***.***.CORP (aes256-cts-
> > > hmac-sha1-96)
> > >    3 host/uisproxy-rop@***.***.CORP (arcfour-hmac)
> > >    3 host/uisproxy-rop@***.***.CORP (aes128-cts-hmac-sha1-96)
> > >    3 host/uisproxy-rop@***.***.CORP (aes256-cts-hmac-sha1-96)
> > >  
> > > # klist -kt
> > > Keytab name: FILE:/etc/squid/keytab/uisproxy-rop-t.keytab
> > > KVNO Timestamp           Principal
> > > ---- ------------------- ----------------------------------------
> > > --------------
> > >    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >    3 11/16/2022 11:30:50 uisproxy-rop-t$@***.***.CORP
> > >    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >    3 11/16/2022 11:30:50 UISPROXY-ROP-T$@***.***.CORP
> > >    3 11/16/2022 11:30:50 HTTP/uisproxy-
> > > rop.***.***.corp@***.***.CORP
> > >    3 11/16/2022 11:30:50 HTTP/uisproxy-
> > > rop.***.***.corp@***.***.CORP
> > >    3 11/16/2022 11:30:50 HTTP/uisproxy-
> > > rop.***.***.corp@***.***.CORP
> > >    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >    3 11/16/2022 11:30:50 host/uisproxy-rop@***.***.CORP
> > >  
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> > > http://lists.squid-cache.org/listinfo/squid-users
> >  
> > -- 
> > David Touzeau - Artica Tech France
> > Development team, level 3 support
> > ----------------------------------
> > P: +33 6 58 44 69 46
> > www: https://wiki.articatech.com
> > www: http://articatech.net 
> > ,
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
>  NO fileref
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5361 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221118/20136e6e/attachment.bin>

More information about the squid-users mailing list