[squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

    You didn't say which helper you are running and with which options. The
message you get should have nothing to do with authentication but with
authorisation (if you use kerberos_ldap_group). You may get a similar
message on the Windows client as part of the Kerberos exchange in the TGS
reply.

  Can you do an AD search for an entry with
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ?

  What encryption types you get when running klist -ekt <squid.keytab> ?
2008 may require AES ( If you check the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos you will
see how to create a keytab for 2008 )

Regards
Markus

"***some text missing***" wrote in message
news:1388753727.91771.YahooMailNeo_at_web162406.mail.bf1.yahoo.com...

Hello Markus,

Thank you for your reply. As suggest below are result of klist -kt.

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
   2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com.pk_at_MAILSERVER.MCB.COM.PK
   2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com.pk_at_MAILSERVER.MCB.COM.PK
   2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com.pk_at_MAILSERVER.MCB.COM.PK

one thing to be add, may be it helps!! i am facing this problem after
raising Forest and Domain functional level to 2008, before this user
authentication was working fine.

Regards,
Sarfraz

----- Original Message -----
From: Markus Moeller <huaraz_at_moeller.plus.com>
To: squid-users_at_squid-cache.org
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

  Which helpers do you run ? The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/<squid-fqdn> can not be found.

squid-fqdn being the name you have in your squid keytab ( You can check
with klist -kt <squid.keytab> if you use MIT or ktutil -k <squid.keytab>
list for Heimdal).

Markus

"***some text missing***" wrote in message
news:1388733659.571.YahooMailNeo_at_web162403.mail.bf1.yahoo.com...

Hi,

Today i am having error in squid cache.log "error while initialising
credentials from keytab client not found in kerberos database squid".. My
clients that are authenticating through Active Directory fails to browse
internet on other hand IP Based access is working fine. Please help to
resolve this error. Thanks.

Regards,
Sarfraz
Received on Fri Jan 03 2014 - 13:31:51 MST