[squid-users] Kerberos Auth weirdness/inconsistency when using CNAMEs/Round-robin DNS
Yves MARTIN
yves.martin at elca.ch
Wed Jun 18 09:46:50 UTC 2025
Hello,
Kerberos is complex and is also sensitive to clock shift between systems.
Here according to error message, it sounds like the KVNO number is no longer
aligned between your keys in keytab and your AD service account holding the
SPN - probably because of a password change or any other attribute change on
account which have increased KVNO number.
I would recommend to generate again the keytab for this Service Principal
Name with ktpass and try again.
Or if it happens "often" without obvious explanation, to generate ktpass
with option "-kvno 0" even if considered as less secure, or else only for
non-productive environments.
Best regards,
Yves
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
Mark Cairney
Sent: Wednesday, June 18, 2025 10:50 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Kerberos Auth weirdness/inconsistency when using
CNAMEs/Round-robin DNS
You don't often get email from mark.cairney at ed.ac.uk
<mailto:mark.cairney at ed.ac.uk> . Learn why this is important
<https://aka.ms/LearnAboutSenderIdentification>
Hi,
I've been trying to get Kerberos Authentication against AD working but have
been seeing inconsistent results/behaviour across multiple Oses and I'm not
sure if the issue lies with the DNS configuration, Kerberos itself or with
the Squid config:
THE DNS setup is as follows:
test.squid.cluster. 3600 IN CNAME
test-squid-cluster.dyn-zone.
test-squid-cluster.dyn-zone. 60 IN A 1.2.3.4
Where 1.2.3.4 is the IP of one of the servers in the cluster. The intention
is to have multiple Squid servers behind a single DNS name for
high-availability.
This is what I'm seeing in the cache log with my current setup:
Windows:
negotiate_kerberos_auth.cc(182): pid=668789 :2025/06/16 16:03:01|
negotiate_kerb
eros_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure.
Min
or code may provide more information. Cannot find key for HTTP/
test-squid-cluster.dyn-zone at REALM <mailto:test-squid-cluster.dyn-zone at REALM>
kvno 2 in keytab (request ticket server HTTP/test.squid.cluster at REALM
<mailto:HTTP/test.squid.cluster at REALM>
Rocky Linux:
curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c
~/cookiejar.txt -x
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest.squid
.cluster%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa8
9908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C6388583372651545
78%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiO
iJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=8t7J%2Fli
BDzhFu%2BkhZP2tDQc9iLXyV5bj63APcwUI0Lw%3D&reserved=0>
"test.squid.cluster:3128" https://www.bbc.co.uk
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.c
o.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453
ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265198150%7CUnknow
n%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
IkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=VupN2iP6EHWQDoTuoOw4
v9JEA7L4YT86xCRaSa3x%2FeY%3D&reserved=0>
negotiate_kerberos_auth.cc(182): pid=668789 :2025/06/17 08:51:52|
negotiate_kerb
eros_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure.
Min
2025/06/17 08:51:52| negotiate_kerberos_auth: INFO: User not authenticated
2025/06/17 08:51:52.964 kid1| ERROR: Negotiate Authentication validating
user. R
esult: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified
er HTTP/server1@ <mailto:HTTP/marmalade.cache.ed.ac.uk at ED.AC.UK> REALM); }}
klist -e
Ticket cache: FILE:/tmp/krb5cc_138460_vF4BWcMsZu
<FILE://tmp/krb5cc_138460_vF4BWcMsZu>
Default principal: ext6033 at ED.AC.UK <mailto:ext6033 at ED.AC.UK>
17/06/25 08:51:44 17/06/25 18:51:24 krbtgt/REALM at REALM
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
17/06/25 08:51:52 17/06/25 18:51:24 HTTP/server@
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Ticket server: server/REALM at REALM
With the same behaviour if I use the Dynamic Zone record in the curl command
i.e.
curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c
~/cookiejar.txt -x
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest-squid
-cluster.dyn-zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac
5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C6388583
37265226269%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAw
MCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=
etUDUnCBFgx7PkYmz458VECv0SM7k%2FmIUMTdsiwLmAQ%3D&reserved=0> "
test-squid-cluster.dyn-zone:3128" https://www.bbc.co.uk
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.c
o.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453
ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265245027%7CUnknow
n%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
IkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Jgbdey0AavIx9HWJt2lv
tMJMxy9ecnYNzFlHH3SXPAY%3D&reserved=0>
Ubuntu 24.04
curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c
~/cookiejar.txt -x
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest.squid
.cluster%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa8
9908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C6388583372652615
73%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiO
iJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=4QUQnouTb
GtClgVAFVq2oLuxnXQnyPGS6wk0BLe0MWU%3D&reserved=0> "test.squid.cluster:3128"
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.c
o.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453
ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265279188%7CUnknow
n%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
IkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Du%2BSPdi0fT7Bd0Fnh4
roqultifdzqZ4u8QFskPJAGI8%3D&reserved=0> "https://www.bbc.co.uk" works
negotiate_kerberos_auth.cc(815): pid=668789 :2025/06/18 09:11:17|
negotiate_kerberos_auth: DEBUG: OK
token=oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhq
ADAgEFoQMCAQ+iejB4oAMCARKicQRvJ1BxA5rnZjKbfBVE0YqUlnYx7oLguj09HLH4SJRumUjWWX
h99B/4X72vpFqCXeOKmvzSDlWG0Io1ZjQxNOxqni4sFx8exojIzg4aIWKAcYB21OHr9m0T9dfymD
VoV61Cofyq38fUaN5Loen9YX0h user=account
2025/06/18 09:11:17| negotiate_kerberos_auth: INFO: User account
authenticated
klist -e
Ticket cache: FILE:/tmp/krb5cc_1001_7KsHEg <FILE://tmp/krb5cc_1001_7KsHEg>
Default principal: account at REALM
Valid starting Expires Service principal
06/18/25 09:10:09 06/18/25 19:10:09 krbtgt/REALM at REALM
renew until 06/19/25 09:09:36, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/18/25 09:11:17 06/18/25 19:10:09 HTTP/test-squid-cluster.dyn-zone@
<mailto:HTTP/test-squid-cluster.dyn-zone@>
renew until 06/19/25 09:09:36, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c
~/cookiejar.txt -x
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest-squid
-cluster.dyn-zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac
5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C6388583
37265295759%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAw
MCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=
NK1qTf5sVX8CRq2iuPZFDlirTfakmjAMhGPtz1Xc69I%3D&reserved=0>
"test-squid-cluster.dyn-zone:3128"
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.c
o.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453
ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265311272%7CUnknow
n%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
IkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=PInDElH8PbSbyPfHI5qb
Y%2Ft7VqP7kySjxaVYkEV%2BIWI%3D&reserved=0> "https://www.bbc.co.uk"
Works as well
klist -e
Ticket cache: FILE:/tmp/krb5cc_1001_7KsHEg <FILE://tmp/krb5cc_1001_7KsHEg>
Default principal: account at REALM
Valid starting Expires Service principal
06/18/25 09:17:11 06/18/25 19:17:11 krbtgt/REAM at REALM
renew until 06/19/25 09:16:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
06/18/25 09:17:38 06/18/25 19:17:11 HTTP/test-squid-cluster.dyn-zone@
<mailto:HTTP/test-squid-cluster.dyn-zone@>
renew until 06/19/25 09:16:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Ticket server: HTTP/test-exams-cache.www-dyn.ed.ac.uk at ED.AC.UK
<mailto:HTTP/test-exams-cache.www-dyn.ed.ac.uk at ED.AC.UK>
Mac (Sequoia 15.5)
curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c
~/cookiejar.txt -x
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest.squid
.cluster.dyn-zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac
5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C6388583
37265327061%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAw
MCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=
uh3wcKqcET7lvGDixjYIPV7sMQpu5DQWPCU3MwlIEaU%3D&reserved=0>
"test.squid.cluster.dyn-zone:3128" https://www.bbc.co.uk
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.c
o.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453
ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265343080%7CUnknow
n%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
IkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Jgq5ZaanXE18ZnTJfh%2
B5uWc92NAj3vB570vi0GwVgbY%3D&reserved=0>
2025/06/17 09:32:26| negotiate_kerberos_auth: INFO: User not authenticated
2025/06/17 09:32:26.600 kid1| ERROR: Negotiate Authentication validating
user. R
esult: {result=BH, notes={message: gss_accept_sec_context() failed:
Unspecified
GSS failure. Minor code may provide more information. Cannot find key for
HTTP/
test-squid-cluster.dyn-zone at REALM <mailto:test-squid-cluster.dyn-zone at REALM>
kvno 2 in keytab (request ticket serv
er HTTP/test.squid.cluster@ <mailto:HTTP/test.squid.cluster@> REALM); }}
klist -v
Server: HTTP/test.squid.cluster@ <mailto:HTTP/test.squid.cluster@> REALM
Client: account at REALM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 1690
Auth time: Jun 17 09:32:17 2025
Start time: Jun 17 09:32:26 2025
End time: Jun 17 19:31:56 2025
Ticket flags: enc-pa-rep, pre-authent, forwardable
Addresses: addressless
curl -ik -vvv -L --proxy-negotiate -U : -b ~/cookiejar.txt -c
~/cookiejar.txt -x
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftest-squid
-cluster.dyn.zone%3A3128%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac
5354d8fa89908ddae453ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C6388583
37265363670%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAw
MCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=
h4Eewb9G%2FmCru9yqhs%2FNPiQNaS8ub040wxJ1CuEphOI%3D&reserved=0>
"test-squid-cluster.dyn.zone:3128" https://www.bbc.co.uk
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bbc.c
o.uk%2F&data=05%7C02%7Cyves.martin%40elca.ch%7C112b1e1ac5354d8fa89908ddae453
ba2%7C01c791614c7f481e8511d45615e6f78d%7C0%7C0%7C638858337265385086%7CUnknow
n%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIs
IkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=CyYbqCck5UzUubUvn6KQ
9WbMaUwJ9Ab4ZXNtQdtpeFI%3D&reserved=0>
Successful:
2025/06/17 09:36:38| negotiate_kerberos_auth: INFO: User account
authenticated
2025/06/17 09:36:38.165 kid1| 82,2| external_acl.cc(700) aclMatchExternal:
ldap_group = ALLOWED
Klist -v
Server: krbtgt/REALM@ <mailto:krbtgt/ED.AC.UK at ED.AC.UK> REALM
Client: account at REALM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 11
Ticket length: 1683
Auth time: Jun 17 09:36:31 2025
End time: Jun 17 19:36:23 2025
Ticket flags: enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless
Server: HTTP/test-squid-cluster.dyn.zone@
<mailto:HTTP/test-squid-cluster.dyn.zone@> REALM
Client: account@ <mailto:ext6033 at ED.AC.UK> REALM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 1698
Auth time: Jun 17 09:36:31 2025
Start time: Jun 17 09:36:38 2025
End time: Jun 17 19:36:23 2025
Ticket flags: enc-pa-rep, pre-authent, forwardable
Addresses: addressless
The relevant parts of the squid.conf are:
http_port 3128
cache_mem 256 mb
maximum_object_size_in_memory 512 KB
maximum_object_size 2048 mb
cache_dir ufs /var/spool/squid 51200 16 256
debug_options ALL,2
visible_hostname test-squid-cluster.dyn.zone
unique_hostname server1
refresh_pattern . 0 20% 4320 ignore-reload
auth_param basic children 10
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP.keytab -s HTTP/test-squid-cluster.dyn.zone@
<mailto:HTTP/test-squid-cluster.dyn.zone@> REALM -d -i -r
(We also have LDAP basic auth configured as a fallback which works as
expected but modern Windows clients no longer support basic auth for proxy
servers).
klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab <FILE://etc/squid/HTTP.keytab>
KVNO Principal
----
--------------------------------------------------------------------------
1 TESTSQUIDCACHE@ <mailto:TESTEXAMSCACHE at ED.AC.UK> REALM
1 TESTSQUIDCACHE@ <mailto:TESTEXAMSCACHE at ED.AC.UK> REALM
1 TESTSQUIDCACHE@ <mailto:TESTEXAMSCACHE at ED.AC.UK> REALM
1 HTTP/test-squid-cache.dyn.zone@
<mailto:HTTP/test-squid-cache.dyn.zone@> REALM
1 HTTP/test-squid-cache.dyn.zone@
<mailto:HTTP/test-squid-cache.dyn.zone@> REALM
1 HTTP/test-squid-cache.dyn.zone@
<mailto:HTTP/test-squid-cache.dyn.zone@> REALM
/etc/hosts
1.2.3.4 server1.cache server1 test-squid-cache.dyn.zone test.squid.cluster
Finally the keytab was generated using msktutil e.g.
msktutil -c -h test-squid-cache.dyn.zone -b
'OU=Managed-Linux,OU=Infrastructure' --computer-name TESTSQUIDCACHE -s
HTTP/test-squid-cache.dyn.zone -k /etc/squid/HTTP.keytab --server
domain.controller --realm REALM --use-service-account --dont-expire-password
--upn HTTP/test-squid-cache.dyn.zone at REALM
<mailto:HTTP/test-squid-cache.dyn.zone at REALM>
This works fairly well/reliably if we use a keytab containing the HTTP/fqdn
of the server itself i.e. HTTP/server1 AND connect using curl using the FQDN
of server1 but we need resiliency and high-availability so having a
single-host service would be a last resort.
Any ideas on where I'm going wrong or what I need to add in terms of
DNS/keytab entries? Also some of the clients attempt to use key versions
which have never been issued e.g. kvno 4?
Kind regards,
Mark
--
/****************************
Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney at ed.ac.uk <mailto:Mark.Cairney at ed.ac.uk>
*******************************/
The University of Edinburgh is a charitable body, registered in Scotland,
with registration number SC005336.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250618/71c92602/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 263 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250618/71c92602/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6737 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250618/71c92602/attachment-0001.bin>
More information about the squid-users
mailing list