Is it possible that you run a samba daemon like winbindd ? If samba is
fully configured it will emulate a Windows desktop/server and changes on a
regular basis the machine password which is used for the Kerberos key. So
if the machine password is changed ther key in hye keytab will be invalid.
Markus
"Stefan Dengscherz" <stefan.dengscherz@xxxxxxxxx> wrote in message
news:AANLkTinigrQMF-sup6YjsHKVh3LcW2HJ3xWWg9yHXx85@xxxxxxxxxxxxxxxxx
Hello list,
I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured
Kerberos AD authentication as in the config examples at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the
"Samba method"). It successfully worked for over half a year but
suddenly the SSO authentication stopped working yesterday and fall
back to my LDAP authentication schema.
Here is my authentication section from the squid configuration:
---8<---
# Authentifizierung - SSO via Kerberos & AD
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# Authentifizierung - LDAP Benutzerabfrage AD, wenn SSO nicht klappt
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"OU=xxx" -D "CN=LDAP Lesebenutzer,OU=Sonderbenutzer,OU=System,OU=xxx"
-w "xxx" -f sAMAccountName=%s -h 10.xxx
auth_param basic children 5
auth_param basic realm Automatische Anmeldung fehlgeschlagen - Geben
Sie bitte Ihren Windows-Benutzer und -Passwort ein!
auth_param basic credentialsttl 5 minutes
---8<---
After the SSO failing i set squid_kerb_auth to debug mode via the -d
parameter and got the following log entries in cache.log:
2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
2010/12/21 06:49:29| squid_kerb_auth: Got 'YR YIIF9...
After recreating the keytab with
kinit administrator@xxx
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME
and restarting Squid everything works fine again.
I think it might be an expired computer account, but FindExpAcc.exe
found nothing. Any hints on where to go further in debugging this
issue here, or any hints on how to solve this problem?
Kind regards,
-sd