Thanks Amos. I have recreated the keytab and it is back working, although I will need to better investigate the root cause of it. I will check the expiration time as you mentioned. Thanks once again! Fabricio. -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: Saturday, May 21, 2022 2:50 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Squid 4.15 on FreeBSD 12.2 Stable - Kerberos helper issues On 21/05/22 04:51, Suporte - Konntrol wrote: > Hello everyone, > > Greetings. > > I got a strange situation with my SQUID 4.1 (FreeBSD 12.2 Stable > environment). > > Everything was working fine with Kerberos configuration and suddenly > it stopped with the following error: > > ==> /var/squid/logs/cache.log <== > > negotiate_kerberos_auth.cc(182): pid=85679 :2022/05/20 13:35:43| > negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No > credentials were supplied, or the credentials were unavailable or > inaccessible. No principal in keytab matches desired name > > 2022/05/20 13:35:43| negotiate_kerberos_auth: INFO: User not > authenticated > > Judging by the “No principal in keytab matches desired name” message, > I went immediately to the AD object to check if it was really missing > the Principal entry. > > To my surprise, everything is there. (talking about the > HTTP/fqdn@REALM entry). That error message has a lot of parts. Check the debug trace to see if you can find out what that "desired name" is for that lookup. It may be something odd going on there. Also, notice the character cases. Sometimes it matters, so best to make sure they always line up. > > Also, I checked the contents of my keytab, which looks OK, as it > contains the HTTP/server01.mydomain.corp@xxxxxxxxxxxxx entry as well. > > Additionally, I checked the DNS configuration for the PTR and Reverse > entries. It looks OK as well. > > I have used “net ads join > createupn=HTTP/server01.mydomain.corp@xxxxxxxxxxxxx -k” commands to Join > the Squid machine to Domain, and “net ads keytab create -k” to create a > keytab. > > Also, used the command “net ads keytab add HTTP” to add the HTTP entry > to the keytab. > ... > > As I mentioned, that was working for months, then stopped. > IME, this type of sudden delayed breakage usually occurs when there is some validity period associated with the credentials in the keytab (or domain controller which created it). There is a disclaimer in the wiki about the "net ads" under some conditions adding an expiry time. <https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab> Rebuilding the keytab with kinit and msktutil may fix it for you. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
