[squid-users] Kerberos AD authentication suddenly stopped working from Stefan Dengscherz on 2010-12-21 (squid-users)

From: Stefan Dengscherz <stefan.dengscherz_at_gmail.com>
Date: Wed, 22 Dec 2010 07:30:31 +0100

Hello list,

I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured
Kerberos AD authentication as in the config examples at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the
"Samba method"). It successfully worked for over half a year but
suddenly the SSO authentication stopped working yesterday and fall
back to my LDAP authentication schema.

Here is my authentication section from the squid configuration:

---8<---
# Authentifizierung - SSO via Kerberos & AD
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

# Authentifizierung - LDAP Benutzerabfrage AD, wenn SSO nicht klappt
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"OU=xxx" -D "CN=LDAP Lesebenutzer,OU=Sonderbenutzer,OU=System,OU=xxx"
-w "xxx" -f sAMAccountName=%s -h 10.xxx
auth_param basic children 5
auth_param basic realm Automatische Anmeldung fehlgeschlagen - Geben
Sie bitte Ihren Windows-Benutzer und -Passwort ein!
auth_param basic credentialsttl 5 minutes
---8<---

After the SSO failing i set squid_kerb_auth to debug mode via the -d
parameter and got the following log entries in cache.log:

2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
2010/12/21 06:49:29| squid_kerb_auth: Got 'YR YIIF9...

After recreating the keytab with

kinit administrator_at_xxx
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME

and restarting Squid everything works fine again.

I think it might be an expired computer account, but FindExpAcc.exe
found nothing. Any hints on where to go further in debugging this
issue here, or any hints on how to solve this problem?

Kind regards,

-sd
Received on Wed Dec 22 2010 - 06:30:40 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 23 2010 - 12:00:04 MST