<div dir="ltr"><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Hi,</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, my kerberos authentication breaks.<br style="box-sizing:border-box">(currently, to bypass this issue, I regenerate keytab file).</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Here, the command that I run every 6h to keep my keytab up to date.</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k /etc/squid/squid.keytab</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Below log I have every run (when everything is ok):</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px"><em style="box-sizing:border-box">samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxx.xxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxx.xxxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago. -- execute: Exiting because password was changed recently. -- ~KRB5Context: Destroying Kerberos Context</em></p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Below logs when things gone bad:</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px"><em style="box-sizing:border-box">lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxxxxx.xxxxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxxxx.xxxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxxxx.xxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 30 days ago. -- ldap_check_account: Checking that a computer account for KRB-PROX$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = xxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found Principal: HTTP/xxxxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found User Principal: HTTP/proxy.xxxxxxxxxxxxxxxxx.local -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try using keytab for KRB-PROX$ to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- set_password: krb5_change_password failed using keytab: (3) Authentication error -- ~KRB5Context: Destroying Kerberos Context</em></p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px"><em style="box-sizing:border-box">lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain xxxxxxxxx.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxx.xxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/xxxxxxxxxxx.xxxxxxxxxx.local from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for KRB-PROX$ with password. -- create_default_machine_password: Default machine password for KRB-PROX$ is krb-prox -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxx.xxxxxxxxx.local -- ~KRB5Context: Destroying Kerberos Context</em></p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Technical information:<br style="box-sizing:border-box">-Windows 2016 server (Kerberos)<br style="box-sizing:border-box">-Squid 3-x<br style="box-sizing:border-box">-msktutil version 1.0</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Thanks for your help!</p><p style="box-sizing:border-box;margin:0px 0px 10px;color:rgb(51,51,51);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:14px">Seb</p><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><h3 color="#000000" style="margin:0px;font-size:16px;color:rgb(0,0,0)"><table cellpadding="0" cellspacing="0" style="color:rgb(255,255,255);font-weight:400;vertical-align:-webkit-baseline-middle;font-size:small;font-family:Arial"><tbody><tr><td><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial"><tbody><tr><td style="vertical-align:middle"><p color="#000000" style="margin:0px;color:rgb(0,0,0);line-height:20px"><b>Sébastien GENESTA<br></b></p><p color="#000000" style="margin:0px;color:rgb(0,0,0);font-size:12px;line-height:20px">System & Network Administrator</p><p color="#000000" style="margin:0px;color:rgb(0,0,0);font-size:12px;line-height:20px">Avis Vérifiés</p></td><td width="30"><div style="width:30px"></div></td><td width="1" color="#F28e17" style="width:1px;border-bottom:none;border-left:1px solid rgb(242,142,23)"></td><td width="30"><div style="width:30px"></div></td><td style="vertical-align:middle"><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial"><tbody><tr height="25" style="vertical-align:middle"><td width="30" style="vertical-align:middle"><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial"><tbody><tr><td style="vertical-align:bottom"><span width="11" color="#F28e17" style="display:block;background-color:rgb(242,142,23)"><img width="13" src="https://cdn2.hubspot.net/hubfs/53/tools/email-signature-generator/icons/phone-icon-2x.png" color="#F28e17" height="13" style="display:block;margin-right:0px"></span></td></tr></tbody></table></td><td style="padding:0px;color:rgb(0,0,0)"><a color="#000000" href="tel:+334%1325%8170" style="color:rgb(0,0,0);font-size:12px" target="_blank">+334 13 25 81 70</a><br></td></tr><tr height="25" style="vertical-align:middle"><td width="30" style="vertical-align:middle"><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial"><tbody><tr><td style="vertical-align:bottom"><span width="11" color="#F28e17" style="display:block;background-color:rgb(242,142,23)"><img width="13" src="https://cdn2.hubspot.net/hubfs/53/tools/email-signature-generator/icons/email-icon-2x.png" color="#F28e17" style="display:block"></span></td></tr></tbody></table></td><td style="padding:0px"><a href="mailto:sebastien@avis-verifies.com" color="#000000" style="color:rgb(0,0,0);font-size:12px" target="_blank">sebastien@avis-verifies.com</a></td></tr><tr height="25" style="vertical-align:middle"><td width="30" style="vertical-align:middle"><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial"><tbody><tr><td style="vertical-align:bottom"><span width="11" color="#F28e17" style="display:block;background-color:rgb(242,142,23)"><img width="13" src="https://cdn2.hubspot.net/hubfs/53/tools/email-signature-generator/icons/link-icon-2x.png" color="#F28e17" style="display:block"></span></td></tr></tbody></table></td><td style="padding:0px"><a href="https://www.avis-verifies.com/" color="#000000" style="color:rgb(0,0,0);font-size:12px" target="_blank">www.avis-verifies.com</a></td></tr></tbody></table></td></tr></tbody></table></td></tr><tr><td><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial;width:422px"><tbody><tr><td height="30"></td></tr><tr><td height="1" color="#F28e17" style="width:422px;border-bottom:1px solid rgb(242,142,23);border-left:none;display:block"></td></tr><tr><td height="30"></td></tr></tbody></table></td></tr><tr><td><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial;width:422px"><tbody><tr><td style="vertical-align:top"><img width="130" src="https://www.avis-verifies.com/avis-clients/widget/av_file_manager/documents_marketing/signature/Logo-FR.png" style="max-width:130px;display:inline-block"></td><td style="text-align:right;vertical-align:top"><table cellpadding="0" cellspacing="0" style="vertical-align:-webkit-baseline-middle;font-family:Arial;display:inline-block"><tbody><tr><td><a href="https://www.facebook.com/avisverifies" color="#0288d1" style="color:rgb(17,85,204);display:inline-block;padding:0px;background-color:rgb(2,136,209)" target="_blank"><img height="24" src="https://cdn2.hubspot.net/hubfs/53/tools/email-signature-generator/icons/facebook-icon-2x.png" alt="facebook" color="#0288d1" style="max-width:135px;display:block"></a></td><td width="5"><div></div></td><td><a href="https://twitter.com/avis_verifies" color="#0288d1" style="color:rgb(17,85,204);display:inline-block;padding:0px;background-color:rgb(2,136,209)" target="_blank"><img height="24" src="https://cdn2.hubspot.net/hubfs/53/tools/email-signature-generator/icons/twitter-icon-2x.png" alt="twitter" color="#0288d1" style="max-width:135px;display:block"></a></td><td width="5"><div></div></td><td><a href="https://fr.linkedin.com/showcase/avis-v%C3%A9rifi%C3%A9s" color="#0288d1" style="color:rgb(17,85,204);display:inline-block;padding:0px;background-color:rgb(2,136,209)" target="_blank"><img height="24" src="https://cdn2.hubspot.net/hubfs/53/tools/email-signature-generator/icons/linkedin-icon-2x.png" alt="linkedin" color="#0288d1" style="max-width:135px;display:block"></a></td><td width="5"><div></div></td></tr></tbody></table></td></tr></tbody></table></td></tr><tr><td height="30"></td></tr><tr><td style="text-align:center"><br></td></tr></tbody></table></h3><h2 style="font-family:serif;font-size:10.5pt;color:rgb(252,146,2);margin:0px"><div></div></h2><h2 style="font-family:serif;font-size:10.5pt;color:rgb(252,146,2);margin:0px"><a href="https://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=url" style="color:rgb(17,85,204)" target="_blank"><img src="http://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=img" alt="https://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=url" width="409" height="83" style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;font-weight:400;margin-right:0px"></a></h2></div></div></div></div></div></div>