[squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos helper issues

Fri, 20 May 2022 09:51:58 -0700 

Hello everyone,

Greetings.

 

I got a strange situation with my SQUID 4.1 (FreeBSD 12.2 Stable
environment).

Everything was working fine with Kerberos configuration and suddenly it
stopped with the following error:

 

==> /var/squid/logs/cache.log <==

negotiate_kerberos_auth.cc(182): pid=85679 :2022/05/20 13:35:43|
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials
were supplied, or the credentials were unavailable or inaccessible. No
principal in keytab matches desired name

2022/05/20 13:35:43| negotiate_kerberos_auth: INFO: User not authenticated

 

Judging by the "No principal in keytab matches desired name" message, I went
immediately to the AD object to check if it was really missing the Principal
entry.

To my surprise, everything is there. (talking about the HTTP/fqdn@REALM
entry).

Also, I checked the contents of my keytab, which looks OK, as it contains
the HTTP/server01.mydomain.c...@mydomain.corp entry as well.

Additionally, I checked the DNS configuration for the PTR and Reverse
entries. It looks OK as well.

 

I have used "net ads join
createupn=HTTP/server01.mydomain.c...@mydomain.corp -k" commands to Join the
Squid machine to Domain, and "net ads keytab create -k" to create a keytab.

Also, used the command "net ads keytab add HTTP" to add the HTTP entry to
the keytab.

 

This is the config used on SQUID for Kerberos:

 

auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -d -i -s
HTTP/server01.mydomain.c...@mydomain.corp
<mailto:HTTP/server01.mydomain.c...@mydomain.corp>  

auth_param negotiate children 20 startup=10 idle=5

auth_param negotiate keep_alive off

 

As I mentioned, that was working for months, then stopped.

 

Are you guys aware of any Windows Update who may broke the Kerberos
integration?

 

I have "Windows Server 2022 AD" and "WINDOWS 11" clients, working with
"FreeBSD + SQUID + Kerberos Auth helper"

 

Any help is very welcome!

 

Thanks!

 

Fabricio.

 

 


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to