<div>Hi David,</div><div> </div><div>Thanks for your advice but it doesn't help me. I use AD account which haven't set these parameters.</div><div> </div><div>Misha.</div><div> </div><div>17.11.2022, 10:07, "David Touzeau" <david@articatech.com>:</div><blockquote><div bgcolor="#FFFFFF"><font face="monospace">Hi<br /><br />perhaps this one<br /><a href="https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket" rel="noopener noreferrer">https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket</a></font><br /><br /> <div>Le 16/11/2022 à 05:11, Михаил a écrit :</div><blockquote><div>Hi everybody,</div><div><div><div> </div><div>Could you help me to setup my new squid server? I have a problem with keytab authorization.</div><div> </div><div>2022/11/16 11:35:39| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Cannot decrypt ticket for <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a> using keytab key for <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.**.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.**.CORP</a>; }}</div><div>Got NTLMSSP neg_flags=0xe2088297</div><div>2022/11/16 11:35:40| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Cannot decrypt ticket for <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a> using keytab key for <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a>; }}</div><div> </div><div># kinit -V -k -t /etc/squid/keytab/uisproxy-rop-t.keytab HTTP/uisproxy-rop.***.***.corp</div><div>Using default cache: /tmp/krb5cc_0</div><div>Using principal: <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a></div><div>Using keytab: /etc/squid/keytab/uisproxy-rop-t.keytab</div><div>Authenticated to Kerberos v5</div><div> </div><div># klist -ke /etc/squid/keytab/uisproxy-rop-t.keytab</div><div>Keytab name: <a href="FILE:/etc/squid/keytab/uisproxy-rop-t.keytab" rel="noopener noreferrer">FILE:/etc/squid/keytab/uisproxy-rop-t.keytab</a></div><div>KVNO Principal</div><div>---- --------------------------------------------------------------------------</div><div> 3 <a href="mailto:uisproxy-rop-t$@***.***.CORP" rel="noopener noreferrer">uisproxy-rop-t$@***.***.CORP</a> (arcfour-hmac)</div><div> 3 <a href="mailto:uisproxy-rop-t$@***.***.CORP" rel="noopener noreferrer">uisproxy-rop-t$@***.***.CORP</a> (aes128-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:uisproxy-rop-t$@***.***.CORP" rel="noopener noreferrer">uisproxy-rop-t$@***.***.CORP</a> (aes256-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:UISPROXY-ROP-T$@***.***.CORP" rel="noopener noreferrer">UISPROXY-ROP-T$@***.***.CORP</a> (arcfour-hmac)</div><div> 3 <a href="mailto:UISPROXY-ROP-T$@***.***.CORP" rel="noopener noreferrer">UISPROXY-ROP-T$@***.***.CORP</a> (aes128-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:UISPROXY-ROP-T$@***.***.CORP" rel="noopener noreferrer">UISPROXY-ROP-T$@***.***.CORP</a> (aes256-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a> (arcfour-hmac)</div><div> 3 <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a> (aes128-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a> (aes256-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:host/uisproxy-rop@***.***.CORP" rel="noopener noreferrer">host/uisproxy-rop@***.***.CORP</a> (arcfour-hmac)</div><div> 3 <a href="mailto:host/uisproxy-rop@***.***.CORP" rel="noopener noreferrer">host/uisproxy-rop@***.***.CORP</a> (aes128-cts-hmac-sha1-96)</div><div> 3 <a href="mailto:host/uisproxy-rop@***.***.CORP" rel="noopener noreferrer">host/uisproxy-rop@***.***.CORP</a> (aes256-cts-hmac-sha1-96)</div><div> </div><div># klist -kt</div><div>Keytab name: <a href="FILE:/etc/squid/keytab/uisproxy-rop-t.keytab" rel="noopener noreferrer">FILE:/etc/squid/keytab/uisproxy-rop-t.keytab</a></div><div>KVNO Timestamp Principal</div><div>---- ------------------- ------------------------------------------------------</div><div> 3 11/16/2022 11:30:50 <a href="mailto:uisproxy-rop-t$@***.***.CORP" rel="noopener noreferrer">uisproxy-rop-t$@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:uisproxy-rop-t$@***.***.CORP" rel="noopener noreferrer">uisproxy-rop-t$@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:uisproxy-rop-t$@***.***.CORP" rel="noopener noreferrer">uisproxy-rop-t$@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:UISPROXY-ROP-T$@***.***.CORP" rel="noopener noreferrer">UISPROXY-ROP-T$@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:UISPROXY-ROP-T$@***.***.CORP" rel="noopener noreferrer">UISPROXY-ROP-T$@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:UISPROXY-ROP-T$@***.***.CORP" rel="noopener noreferrer">UISPROXY-ROP-T$@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:HTTP/uisproxy-rop.***.***.corp@***.***.CORP" rel="noopener noreferrer">HTTP/uisproxy-rop.***.***.corp@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:host/uisproxy-rop@***.***.CORP" rel="noopener noreferrer">host/uisproxy-rop@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:host/uisproxy-rop@***.***.CORP" rel="noopener noreferrer">host/uisproxy-rop@***.***.CORP</a></div><div> 3 11/16/2022 11:30:50 <a href="mailto:host/uisproxy-rop@***.***.CORP" rel="noopener noreferrer">host/uisproxy-rop@***.***.CORP</a></div></div></div> <pre>_______________________________________________
squid-users mailing list
<a href="mailto:squid-users@lists.squid-cache.org" rel="noopener noreferrer">squid-users@lists.squid-cache.org</a>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noopener noreferrer">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre></blockquote> <pre>--
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www: <a href="https://wiki.articatech.com/" rel="noopener noreferrer">https://wiki.articatech.com</a>
www: <a href="http://articatech.net/" rel="noopener noreferrer">http://articatech.net</a> </pre></div>,<p>_______________________________________________<br />squid-users mailing list<br /><a href="mailto:squid-users@lists.squid-cache.org" rel="noopener noreferrer">squid-users@lists.squid-cache.org</a><br /><a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noopener noreferrer">http://lists.squid-cache.org/listinfo/squid-users</a></p></blockquote>