<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt'> Hello,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Kerberos is complex and is also sensitive to clock shift between systems.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Here according to error message, it sounds like the KVNO number is no longer aligned between your keys in keytab and your AD service account holding the SPN – probably because of a password change or any other attribute change on account which have increased KVNO number.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>I would recommend to generate again the keytab for this Service Principal Name with ktpass and try again.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Or if it happens “often” without obvious explanation, to generate ktpass with option “-kvno 0” even if considered as less secure, or else only for non-productive environments.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Yves<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'>From:</span></b><span style='font-family:"Calibri",sans-serif;mso-ligatures:none'> squid-users <squid-users-bounces@lists.squid-cache.org> <b>On Behalf Of </b>Mark Cairney<br><b>Sent:</b> Wednesday, June 18, 2025 10:50 AM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> [squid-users] Kerberos Auth weirdness/inconsistency when using CNAMEs/Round-robin DNS<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 align=left width="99%" style='width:99.22%'><tr><td width=4 style='width:3.35pt;background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt 1.5pt'></td><td width=750 style='width:562.55pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 11.25pt;aspect-ratio: revert !important;background:revert !important;block-size: revert !important;border:revert !important;bottom: revert !important;color:revert !important;color-scheme: revert !important;content-visibility: revert !important;cursor:revert !important;direction:revert !important;display:revert !important;font-size:revert !important;height:revert !important;hyphens: revert !important;letter-spacing:revert !important;line-height:revert !important;margin:revert !important;opacity: revert !important;order: revert !important;outline: revert !important;overflow:revert !important;padding:revert !important;position:revert !important;resize: revert !important;rotate: revert !important;scale: revert !important;tab-size: revert !important;table-layout:revert !important;text-align:revert !important;text-indent:revert !important;text-orientation: revert !important;text-overflow: revert !important;text-shadow:revert !important;text-transform:revert !important;text-wrap: revert !important;top:revert !important;transition: revert !important;user-select: revert !important;vertical-align:revert !important;visibility:revert !important;white-space:revert !important;width:revert !important;word-break:revert !important;word-spacing:revert !important;writing-mode:revert !important;zoom: revert !important'><div><p class=MsoNormal style='mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly'><span style='font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#212121;mso-ligatures:none'>You don't often get email from <a href="mailto:mark.cairney@ed.ac.uk">mark.cairney@ed.ac.uk</a>. <a href="https://aka.ms/LearnAboutSenderIdentification">Learn why this is important</a> <o:p></o:p></span></p></div></td><td width=10 style='width:7.8pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 3.75pt;aspect-ratio: revert !important;background:revert !important;block-size: revert !important;border:revert !important;bottom: revert !important;color:revert !important;color-scheme: revert !important;content-visibility: revert !important;cursor:revert !important;direction:revert !important;display:revert !important;font-size:revert !important;height:revert !important;hyphens: revert !important;letter-spacing:revert !important;line-height:revert !important;margin:revert !important;opacity: revert !important;order: revert !important;outline: revert !important;overflow:revert !important;padding:revert !important;position:revert !important;resize: revert !important;rotate: revert !important;scale: revert !important;tab-size: revert !important;table-layout:revert !important;text-align:revert !important;text-indent:revert !important;text-orientation: revert !important;text-overflow: revert !important;text-shadow:revert !important;text-transform:revert !important;text-wrap: revert !important;top:revert !important;transition: revert !important;user-select: revert !important;vertical-align:revert !important;visibility:revert !important;white-space:revert !important;width:revert !important;word-break:revert !important;word-spacing:revert !important;writing-mode:revert !important;zoom: revert !important;align: left !important'></td></tr></table><div><p class=MsoNormal><span lang=EN-GB>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>I’ve been trying to get Kerberos Authentication against AD working but have been seeing inconsistent results/behaviour across multiple Oses and I’m not sure if the issue lies with the DNS configuration, Kerberos itself or with the Squid config:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>THE DNS setup is as follows:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>test.squid.cluster. 3600 IN CNAME test-squid-cluster.dyn-zone.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>test-squid-cluster.dyn-zone. 60 IN A 1.2.3.4<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Where 1.2.3.4 is the IP of one of the servers in the cluster. The intention is to have multiple Squid servers behind a single DNS name for high-availability.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>This is what I’m seeing in the cache log with my current setup:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Windows:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>negotiate_kerberos_auth.cc(182): pid=668789 :2025/06/16 16:03:01| negotiate_kerb<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>eros_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Min<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>or code may provide more information. Cannot find key for HTTP/ <a href="mailto:test-squid-cluster.dyn-zone@REALM">test-squid-cluster.dyn-zone@REALM</a> kvno 2 in keytab (request ticket server <a href="mailto:HTTP/test.squid.cluster@REALM">HTTP/test.squid.cluster@REALM</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Rocky Linux:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c ~/cookiejar.txt -x <a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest.squid.cluster%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265154578%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=8t7J%2FliBDzhFu%2BkhZP2tDQc9iLXyV5bj63APcwUI0Lw%3D&reserved=0">"test.squid.cluster:3128"</a> <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.co.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265198150%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=VupN2iP6EHWQDoTuoOw4v9JEA7L4YT86xCRaSa3x%2FeY%3D&reserved=0">https://www.bbc.co.uk</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>negotiate_kerberos_auth.cc(182): pid=668789 :2025/06/17 08:51:52| negotiate_kerb<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>eros_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Min<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>2025/06/17 08:51:52| negotiate_kerberos_auth: INFO: User not authenticated<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>2025/06/17 08:51:52.964 kid1| ERROR: Negotiate Authentication validating user. R<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>esult: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>er <a href="mailto:HTTP/marmalade.cache.ed.ac.uk@ED.AC.UK">HTTP/server1@</a>REALM); }}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>klist -e<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket cache: <a href="FILE://tmp/krb5cc_138460_vF4BWcMsZu">FILE:/tmp/krb5cc_138460_vF4BWcMsZu</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Default principal: <a href="mailto:ext6033@ED.AC.UK">ext6033@ED.AC.UK</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>17/06/25 08:51:44 17/06/25 18:51:24 krbtgt/REALM@REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>17/06/25 08:51:52 17/06/25 18:51:24 HTTP/server@<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> Ticket server: server/REALM@REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>With the same behaviour if I use the Dynamic Zone record in the curl command i.e.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c ~/cookiejar.txt -x <a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest-squid-cluster.dyn-zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265226269%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=etUDUnCBFgx7PkYmz458VECv0SM7k%2FmIUMTdsiwLmAQ%3D&reserved=0">" test-squid-cluster.dyn-zone:3128"</a> <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.co.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265245027%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Jgbdey0AavIx9HWJt2lvtMJMxy9ecnYNzFlHH3SXPAY%3D&reserved=0">https://www.bbc.co.uk</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ubuntu 24.04<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c ~/cookiejar.txt -x <a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest.squid.cluster%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265261573%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=4QUQnouTbGtClgVAFVq2oLuxnXQnyPGS6wk0BLe0MWU%3D&reserved=0">"test.squid.cluster:3128"</a> <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.co.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265279188%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Du%2BSPdi0fT7Bd0Fnh4roqultifdzqZ4u8QFskPJAGI8%3D&reserved=0">"https://www.bbc.co.uk"</a> works<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>negotiate_kerberos_auth.cc(815): pid=668789 :2025/06/18 09:11:17| negotiate_kerberos_auth: DEBUG: OK token=oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvJ1BxA5rnZjKbfBVE0YqUlnYx7oLguj09HLH4SJRumUjWWXh99B/4X72vpFqCXeOKmvzSDlWG0Io1ZjQxNOxqni4sFx8exojIzg4aIWKAcYB21OHr9m0T9dfymDVoV61Cofyq38fUaN5Loen9YX0h user=account<br>2025/06/18 09:11:17| negotiate_kerberos_auth: INFO: User account authenticated<br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>klist -e<br>Ticket cache: <a href="FILE://tmp/krb5cc_1001_7KsHEg">FILE:/tmp/krb5cc_1001_7KsHEg</a><br>Default principal: account@REALM<br><br>Valid starting Expires Service principal<br>06/18/25 09:10:09 06/18/25 19:10:09 krbtgt/REALM@REALM<br> renew until 06/19/25 09:09:36, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br>06/18/25 09:11:17 06/18/25 19:10:09 <a href="mailto:HTTP/test-squid-cluster.dyn-zone@">HTTP/test-squid-cluster.dyn-zone@</a><br> renew until 06/19/25 09:09:36, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c ~/cookiejar.txt -x <a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest-squid-cluster.dyn-zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265295759%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=NK1qTf5sVX8CRq2iuPZFDlirTfakmjAMhGPtz1Xc69I%3D&reserved=0">"test-squid-cluster.dyn-zone:3128"</a> <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.co.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265311272%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=PInDElH8PbSbyPfHI5qbY%2Ft7VqP7kySjxaVYkEV%2BIWI%3D&reserved=0">"https://www.bbc.co.uk"</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Works as well<br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>klist -e<br>Ticket cache: <a href="FILE://tmp/krb5cc_1001_7KsHEg">FILE:/tmp/krb5cc_1001_7KsHEg</a><br>Default principal: account@REALM<br><br>Valid starting Expires Service principal<br>06/18/25 09:17:11 06/18/25 19:17:11 krbtgt/REAM@REALM<br> renew until 06/19/25 09:16:55, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br>06/18/25 09:17:38 06/18/25 19:17:11 <a href="mailto:HTTP/test-squid-cluster.dyn-zone@">HTTP/test-squid-cluster.dyn-zone@</a><br> renew until 06/19/25 09:16:55, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 <br> Ticket server: <a href="mailto:HTTP/test-exams-cache.www-dyn.ed.ac.uk@ED.AC.UK">HTTP/test-exams-cache.www-dyn.ed.ac.uk@ED.AC.UK</a><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Mac (Sequoia 15.5)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c ~/cookiejar.txt -x <a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest.squid.cluster.dyn-zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265327061%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=uh3wcKqcET7lvGDixjYIPV7sMQpu5DQWPCU3MwlIEaU%3D&reserved=0">"test.squid.cluster.dyn-zone:3128"</a> <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.co.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265343080%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Jgq5ZaanXE18ZnTJfh%2B5uWc92NAj3vB570vi0GwVgbY%3D&reserved=0">https://www.bbc.co.uk</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>2025/06/17 09:32:26| negotiate_kerberos_auth: INFO: User not authenticated<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>2025/06/17 09:32:26.600 kid1| ERROR: Negotiate Authentication validating user. R<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>esult: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>GSS failure. Minor code may provide more information. Cannot find key for HTTP/<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><a href="mailto:test-squid-cluster.dyn-zone@REALM">test-squid-cluster.dyn-zone@REALM</a> kvno 2 in keytab (request ticket serv<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>er <a href="mailto:HTTP/test.squid.cluster@">HTTP/test.squid.cluster@</a>REALM); }}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>klist -v<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Server: <a href="mailto:HTTP/test.squid.cluster@">HTTP/test.squid.cluster@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Client: account@REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket etype: aes256-cts-hmac-sha1-96, kvno 2<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket length: 1690<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Auth time: Jun 17 09:32:17 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Start time: Jun 17 09:32:26 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>End time: Jun 17 19:31:56 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket flags: enc-pa-rep, pre-authent, forwardable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Addresses: addressless<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c ~/cookiejar.txt -x <a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest-squid-cluster.dyn.zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265363670%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=h4Eewb9G%2FmCru9yqhs%2FNPiQNaS8ub040wxJ1CuEphOI%3D&reserved=0">"test-squid-cluster.dyn.zone:3128"</a> <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.co.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265385086%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=CyYbqCck5UzUubUvn6KQ9WbMaUwJ9Ab4ZXNtQdtpeFI%3D&reserved=0">https://www.bbc.co.uk</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Successful:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>2025/06/17 09:36:38| negotiate_kerberos_auth: INFO: User account authenticated<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>2025/06/17 09:36:38.165 kid1| 82,2| external_acl.cc(700) aclMatchExternal: ldap_group = ALLOWED<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Klist -v<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Server: <a href="mailto:krbtgt/ED.AC.UK@ED.AC.UK">krbtgt/REALM@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Client: account@REALM <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket etype: aes256-cts-hmac-sha1-96, kvno 11<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket length: 1683<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Auth time: Jun 17 09:36:31 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>End time: Jun 17 19:36:23 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket flags: enc-pa-rep, pre-authent, initial, forwardable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Addresses: addressless<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Server: <a href="mailto:HTTP/test-squid-cluster.dyn.zone@">HTTP/test-squid-cluster.dyn.zone@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Client: <a href="mailto:ext6033@ED.AC.UK">account@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket etype: aes256-cts-hmac-sha1-96, kvno 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket length: 1698<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Auth time: Jun 17 09:36:31 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Start time: Jun 17 09:36:38 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>End time: Jun 17 19:36:23 2025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Ticket flags: enc-pa-rep, pre-authent, forwardable<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Addresses: addressless<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>The relevant parts of the squid.conf are:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>http_port 3128<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>cache_mem 256 mb<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>maximum_object_size_in_memory 512 KB<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>maximum_object_size 2048 mb<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>cache_dir ufs /var/spool/squid 51200 16 256<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>debug_options ALL,2<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>visible_hostname test-squid-cluster.dyn.zone<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>unique_hostname server1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>refresh_pattern . 0 20% 4320 ignore-reload<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>auth_param basic children 10<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s <a href="mailto:HTTP/test-squid-cluster.dyn.zone@">HTTP/test-squid-cluster.dyn.zone@</a>REALM -d -i -r<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>(We also have LDAP basic auth configured as a fallback which works as expected but modern Windows clients no longer support basic auth for proxy servers).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>klist -k /etc/squid/HTTP.keytab<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Keytab name: <a href="FILE://etc/squid/HTTP.keytab">FILE:/etc/squid/HTTP.keytab</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>KVNO Principal<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>---- --------------------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> 1 <a href="mailto:TESTEXAMSCACHE@ED.AC.UK">TESTSQUIDCACHE@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> 1 <a href="mailto:TESTEXAMSCACHE@ED.AC.UK">TESTSQUIDCACHE@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> 1 <a href="mailto:TESTEXAMSCACHE@ED.AC.UK">TESTSQUIDCACHE@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> 1 <a href="mailto:HTTP/test-squid-cache.dyn.zone@">HTTP/test-squid-cache.dyn.zone@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> 1 <a href="mailto:HTTP/test-squid-cache.dyn.zone@">HTTP/test-squid-cache.dyn.zone@</a>REALM<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> 1 <a href="mailto:HTTP/test-squid-cache.dyn.zone@">HTTP/test-squid-cache.dyn.zone@</a>REALM<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>/etc/hosts</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>1.2.3.4 server1.cache server1 test-squid-cache.dyn.zone test.squid.cluster</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Finally the keytab was generated using msktutil e.g.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>msktutil -c -h test-squid-cache.dyn.zone -b 'OU=Managed-Linux,OU=Infrastructure' --computer-name TESTSQUIDCACHE -s HTTP/test-squid-cache.dyn.zone -k /etc/squid/HTTP.keytab --server domain.controller --realm REALM --use-service-account --dont-expire-password --upn <a href="mailto:HTTP/test-squid-cache.dyn.zone@REALM">HTTP/test-squid-cache.dyn.zone@REALM</a></span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>This works fairly well/reliably if we use a keytab containing the HTTP/fqdn of the server itself i.e. HTTP/server1 AND connect using curl using the FQDN of server1 but we need resiliency and high-availability so having a single-host service would be a last resort.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Any ideas on where I’m going wrong or what I need to add in terms of DNS/keytab entries? Also some of the clients attempt to use key versions which have never been issued e.g. kvno 4? </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Kind regards,</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>Mark</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'>--<br>/****************************<br><br>Mark Cairney<br>ITI Enterprise Services<br>Information Services<br>University of Edinburgh<br><br>Tel: 0131 650 6565<br>Email: </span><u><span lang=EN-GB style='color:#0078D7;mso-ligatures:none;mso-fareast-language:EN-GB'><a href="mailto:Mark.Cairney@ed.ac.uk">Mark.Cairney@ed.ac.uk</a></span></u><span lang=EN-GB style='color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB'><br><br>*******************************/<br><br>The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.</span><span lang=EN-GB> </span><span lang=EN-GB style='mso-ligatures:none'><img border=0 width=32 height=32 style='width:.3333in;height:.3333in' id="Picture_x0020_1" src="cid:image001.png@01DBE044.4DE96160" alt="signature_2526785256"></span><span lang=EN-GB><o:p></o:p></span></p></div></div></div></body></html>