Hello list, Markus, thanks for your hint; this is also described in the Wiki entry - I only have used Samba to create the keytab. It is not running as a daemon here. However I think I've found the (fairly trivial) problem... There was an issue with the ESX host/Storage the Linux Squid was running on, stalling the machines for like half an hour. So the clock skew was to great for Kerberos authentication to work properly. I found this out while trying to generate a new keytab: root@lxsv05:~# kinit Administrator@xxx Password for Administrator@xxx: kinit: Clock skew too great while getting initial credentials Kind regards, -sd 2010/12/22 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Is it possible that you run a samba daemon like winbindd ? If samba is > fully configured it will emulate a Windows desktop/server and changes on a > regular basis the machine password which is used for the Kerberos key. So > if the machine password is changed ther key in hye keytab will be invalid. > > Markus > > "Stefan Dengscherz" <stefan.dengscherz@xxxxxxxxx> wrote in message > news:AANLkTinigrQMF-sup6YjsHKVh3LcW2HJ3xWWg9yHXx85@xxxxxxxxxxxxxxxxx >> >> Hello list, >> >> >> I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured >> Kerberos AD authentication as in the config examples at >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the >> "Samba method"). It successfully worked for over half a year but >> suddenly the SSO authentication stopped working yesterday and fall >> back to my LDAP authentication schema. >> >> Here is my authentication section from the squid configuration: >> >> ---8<--- >> # Authentifizierung - SSO via Kerberos & AD >> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> >> # Authentifizierung - LDAP Benutzerabfrage AD, wenn SSO nicht klappt >> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b >> "OU=xxx" -D "CN=LDAP Lesebenutzer,OU=Sonderbenutzer,OU=System,OU=xxx" >> -w "xxx" -f sAMAccountName=%s -h 10.xxx >> auth_param basic children 5 >> auth_param basic realm Automatische Anmeldung fehlgeschlagen - Geben >> Sie bitte Ihren Windows-Benutzer und -Passwort ein! >> auth_param basic credentialsttl 5 minutes >> ---8<--- >> >> After the SSO failing i set squid_kerb_auth to debug mode via the -d >> parameter and got the following log entries in cache.log: >> >> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information. >> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information. >> 2010/12/21 06:49:29| squid_kerb_auth: Got 'YR YIIF9... >> >> After recreating the keytab with >> >> kinit administrator@xxx >> export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab >> net ads keytab CREATE >> net ads keytab ADD HTTP >> unset KRB5_KTNAME >> >> and restarting Squid everything works fine again. >> >> I think it might be an expired computer account, but FindExpAcc.exe >> found nothing. Any hints on where to go further in debugging this >> issue here, or any hints on how to solve this problem? >> >> >> Kind regards, >> >> -sd >> > > >
