Hello list, Markus,
thanks for your hint; this is also described in the Wiki entry - I
only have used Samba to create the keytab. It is not running as a
daemon here.
However I think I've found the (fairly trivial) problem... There was
an issue with the ESX host/Storage the Linux Squid was running on,
stalling the machines for like half an hour. So the clock skew was to
great for Kerberos authentication to work properly.
I found this out while trying to generate a new keytab:
root_at_lxsv05:~# kinit Administrator_at_xxx
Password for Administrator_at_xxx:
kinit: Clock skew too great while getting initial credentials
Kind regards,
-sd
2010/12/22 Markus Moeller <huaraz_at_moeller.plus.com>:
> Is it possible that you run a samba daemon like winbindd ? If samba is
> fully configured it will emulate a Windows desktop/server and changes on a
> regular basis the machine password which is used for the Kerberos key. So
> if the machine password is changed ther key in hye keytab will be invalid.
>
> Markus
>
> "Stefan Dengscherz" <stefan.dengscherz_at_gmail.com> wrote in message
> news:AANLkTinigrQMF-sup6YjsHKVh3LcW2HJ3xWWg9yHXx85_at_mail.gmail.com...
>>
>> Hello list,
>>
>>
>> I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured
>> Kerberos AD authentication as in the config examples at
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the
>> "Samba method"). It successfully worked for over half a year but
>> suddenly the SSO authentication stopped working yesterday and fall
>> back to my LDAP authentication schema.
>>
>> Here is my authentication section from the squid configuration:
>>
>> ---8<---
>> # Authentifizierung - SSO via Kerberos & AD
>> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>>
>> # Authentifizierung - LDAP Benutzerabfrage AD, wenn SSO nicht klappt
>> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
>> "OU=xxx" -D "CN=LDAP Lesebenutzer,OU=Sonderbenutzer,OU=System,OU=xxx"
>> -w "xxx" -f sAMAccountName=%s -h 10.xxx
>> auth_param basic children 5
>> auth_param basic realm Automatische Anmeldung fehlgeschlagen - Geben
>> Sie bitte Ihren Windows-Benutzer und -Passwort ein!
>> auth_param basic credentialsttl 5 minutes
>> ---8<---
>>
>> After the SSO failing i set squid_kerb_auth to debug mode via the -d
>> parameter and got the following log entries in cache.log:
>>
>> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information.
>> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information.
>> 2010/12/21 06:49:29| squid_kerb_auth: Got 'YR YIIF9...
>>
>> After recreating the keytab with
>>
>> kinit administrator_at_xxx
>> export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
>> net ads keytab CREATE
>> net ads keytab ADD HTTP
>> unset KRB5_KTNAME
>>
>> and restarting Squid everything works fine again.
>>
>> I think it might be an expired computer account, but FindExpAcc.exe
>> found nothing. Any hints on where to go further in debugging this
>> issue here, or any hints on how to solve this problem?
>>
>>
>> Kind regards,
>>
>> -sd
>>
>
>
>
Received on Thu Dec 23 2010 - 06:06:58 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 23 2010 - 12:00:04 MST