[squid-users] squid_kerb_ldap -> "Error while initialising credentials from keytab"

Hi

I'm trying to authenticate our clients with squid_kerb_ldap against
our ad. There exists a global-group called "Internet". My squid.conf
looks like this:

auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet
acl inetAccess external SQUID_KERB_LDAP
http_access allow inetAccess

My "klist -k" looks like this:
proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/proxy-test-01.xx.yy_at_XX.YY
   4 host/proxy-test-01.xx.yy_at_XX.YY
   4 host/proxy-test-01.xx.yy_at_XX.YY
   4 host/proxy-test-01_at_XX.YY
   4 host/proxy-test-01_at_XX.YY
   4 host/proxy-test-01_at_XX.YY
   4 PROXY-TEST-01$@XX.YY
   4 PROXY-TEST-01$@XX.YY
   4 PROXY-TEST-01$@XX.YY
   4 HTTP/proxy-test-01.xx.yy_at_XX.YY
   4 HTTP/proxy-test-01.xx.yy_at_XX.YY
   4 HTTP/proxy-test-01.xx.yy_at_XX.YY
   4 HTTP/proxy-test-01_at_XX.YY
   4 HTTP/proxy-test-01_at_XX.YY
   4 HTTP/proxy-test-01_at_XX.YY
   5 proxy-test-01$@XX.YY
   5 proxy-test-01$@XX.YY
   5 proxy-test-01$@XX.YY
   5 HTTP/proxy-test-01.xx.yy_at_XX.YY
   5 HTTP/proxy-test-01.xx.yy_at_XX.YY
   5 HTTP/proxy-test-01.xx.yy_at_XX.YY
   5 HTTP/proxy-test-01_at_XX.YY
   5 HTTP/proxy-test-01_at_XX.YY
   5 HTTP/proxy-test-01_at_XX.YY
   5 host/proxy-test-01.xx.yy_at_XX.YY
   5 host/proxy-test-01.xx.yy_at_XX.YY
   5 host/proxy-test-01.xx.yy_at_XX.YY

Without squid_kerb_ldap, the internet-access is working fine. With the
helper, I got the following errors in the cache.log:
2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY authenticated
2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group_at_domain
Internet_at_NULL
2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop:
group_at_domain Internet_at_NULL
2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group_at_domain
Internet_at_NULL
2010/06/30 09:45:48| squid_kerb_ldap: Found group_at_domain Internet_at_NULL
2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache
2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name
2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name
/etc/krb5.keytab
2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab
/etc/krb5.keytab
2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: Found principal name:
host/proxy-test-01.xx.yy_at_XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_22001
2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
host/proxy-test-01.xx.yy_at_XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
credentials from keytab : Client not found in Kerberos database
2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos
credential cache
2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of
group_at_domain Internet_at_NULL
2010/06/30 09:45:48| squid_kerb_ldap: ERR
2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY authenticated

What could this be? The user "testuser" is member of the ad-group "Internet".
Thanks a lot.
Tom
Received on Wed Jun 30 2010 - 07:51:56 MDT