Is it possible that you run a samba daemon like winbindd ? If samba is
fully configured it will emulate a Windows desktop/server and changes on a
regular basis the machine password which is used for the Kerberos key. So
if the machine password is changed ther key in hye keytab will be invalid.
Markus
"Stefan Dengscherz" <stefan.dengscherz_at_gmail.com> wrote in message
news:AANLkTinigrQMF-sup6YjsHKVh3LcW2HJ3xWWg9yHXx85_at_mail.gmail.com...
> Hello list,
>
>
> I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured
> Kerberos AD authentication as in the config examples at
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the
> "Samba method"). It successfully worked for over half a year but
> suddenly the SSO authentication stopped working yesterday and fall
> back to my LDAP authentication schema.
>
> Here is my authentication section from the squid configuration:
>
> ---8<---
> # Authentifizierung - SSO via Kerberos & AD
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> # Authentifizierung - LDAP Benutzerabfrage AD, wenn SSO nicht klappt
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
> "OU=xxx" -D "CN=LDAP Lesebenutzer,OU=Sonderbenutzer,OU=System,OU=xxx"
> -w "xxx" -f sAMAccountName=%s -h 10.xxx
> auth_param basic children 5
> auth_param basic realm Automatische Anmeldung fehlgeschlagen - Geben
> Sie bitte Ihren Windows-Benutzer und -Passwort ein!
> auth_param basic credentialsttl 5 minutes
> ---8<---
>
> After the SSO failing i set squid_kerb_auth to debug mode via the -d
> parameter and got the following log entries in cache.log:
>
> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information.
> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information.
> 2010/12/21 06:49:29| squid_kerb_auth: Got 'YR YIIF9...
>
> After recreating the keytab with
>
> kinit administrator_at_xxx
> export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
> net ads keytab CREATE
> net ads keytab ADD HTTP
> unset KRB5_KTNAME
>
> and restarting Squid everything works fine again.
>
> I think it might be an expired computer account, but FindExpAcc.exe
> found nothing. Any hints on where to go further in debugging this
> issue here, or any hints on how to solve this problem?
>
>
> Kind regards,
>
> -sd
>
Received on Wed Dec 22 2010 - 20:11:29 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 23 2010 - 12:00:04 MST