On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote: > On 11/01/2016 2:48 p.m., LYMN wrote: > > > > I did manage to get this working, you did mention the correct solution > > right down the end of your message. > > > > Correct for you yes. That can happen when making half-blind guesses at > what the problem actually is based on partial information. It might have > been any of the issues mentioned or any of the solutions mentioned. > Others in future may find differently depending on what they have mucked > up or payed around with before asking. > Yes, correct for me. It indeed could be one or more of the suggestions that were made. Kerberos errors are such fun to debug made more so by multiple problems causing the same error message. I have had a situation where I had a few different problems and it wasn't until I had sorted them all that the error message went away but it is so unsettling to get the same error after you have made a change that you are sure makes things correct. > > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote: > >> Hai, > >> > >> > >> Few things to check. > >> > >> /etc/krb5.keytab should have rights 600 (root:root) > >> > > > > And this was the problem but it should not, in my case, be as you > > stated. In fact, /etc/krb5.keytab needed to have rights 640 with > > ownership root:nobody. This is because the kerberos authenticator runs > > as the user nobody and needs access to the keytab. I am not so sure I > > like this situation because this does mean the nobody user now has > > access to the machine kerberos keys not just the ones for the http SPN. > > "nobody" is the default low-privileged user account unless you build > Squid with the --with-default-user=X - in which cases it will default to > the "X" account. > > You can also configure "cache_effective_user X" in squid.conf to > override the default if your Squid was built with one you dont want to use. > Yes. I think you have clarified the point that I was trying to make which was the user/group used may depend on your configuration or squid build. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users