[squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos helper issues
Marek Greško
mgresko8 at gmail.com
Wed May 25 05:21:36 UTC 2022
Hello,
did not you change the password on the account? If you change password you
should recreate the keytab.
Marek
ut 24. 5. 2022 o 14:23 Suporte - Konntrol <suporte at konntrol.com.br>
napísal(a):
> Thanks Amos.
> I have recreated the keytab and it is back working, although I will need
> to better investigate the root cause of it.
> I will check the expiration time as you mentioned.
>
> Thanks once again!
> Fabricio.
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Amos Jeffries
> Sent: Saturday, May 21, 2022 2:50 AM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos
> helper issues
>
> On 21/05/22 04:51, Suporte - Konntrol wrote:
> > Hello everyone,
> >
> > Greetings.
> >
> > I got a strange situation with my SQUID 4.1 (FreeBSD 12.2 Stable
> > environment).
> >
> > Everything was working fine with Kerberos configuration and suddenly
> > it stopped with the following error:
> >
> > ==> /var/squid/logs/cache.log <==
> >
> > negotiate_kerberos_auth.cc(182): pid=85679 :2022/05/20 13:35:43|
> > negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No
> > credentials were supplied, or the credentials were unavailable or
> > inaccessible. No principal in keytab matches desired name
> >
> > 2022/05/20 13:35:43| negotiate_kerberos_auth: INFO: User not
> > authenticated
> >
> > Judging by the “No principal in keytab matches desired name” message,
> > I went immediately to the AD object to check if it was really missing
> > the Principal entry.
> >
> > To my surprise, everything is there. (talking about the
> > HTTP/fqdn at REALM entry).
>
> That error message has a lot of parts. Check the debug trace to see if
> you can find out what that "desired name" is for that lookup. It may be
> something odd going on there.
>
> Also, notice the character cases. Sometimes it matters, so best to make
> sure they always line up.
>
>
> >
> > Also, I checked the contents of my keytab, which looks OK, as it
> > contains the HTTP/server01.mydomain.corp at MYDOMAIN.CORP entry as well.
> >
> > Additionally, I checked the DNS configuration for the PTR and Reverse
> > entries. It looks OK as well.
> >
> > I have used “net ads join
> > createupn=HTTP/server01.mydomain.corp at MYDOMAIN.CORP -k” commands to
> Join
> > the Squid machine to Domain, and “net ads keytab create -k” to create a
> > keytab.
> >
> > Also, used the command “net ads keytab add HTTP” to add the HTTP entry
> > to the keytab.
> >
> ...
> >
> > As I mentioned, that was working for months, then stopped.
> >
>
> IME, this type of sudden delayed breakage usually occurs when there is
> some validity period associated with the credentials in the keytab (or
> domain controller which created it). There is a disclaimer in the wiki
> about the "net ads" under some conditions adding an expiry time.
>
> <
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab
> >
>
> Rebuilding the keytab with kinit and msktutil may fix it for you.
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220525/997fa570/attachment.htm>
More information about the squid-users
mailing list