Hello, did not you change the password on the account? If you change password you should recreate the keytab.
Marek ut 24. 5. 2022 o 14:23 Suporte - Konntrol <supo...@konntrol.com.br> napísal(a): > Thanks Amos. > I have recreated the keytab and it is back working, although I will need > to better investigate the root cause of it. > I will check the expiration time as you mentioned. > > Thanks once again! > Fabricio. > > -----Original Message----- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Amos Jeffries > Sent: Saturday, May 21, 2022 2:50 AM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Squid 4.15 on FreeBSD 12.2 Stable - Kerberos > helper issues > > On 21/05/22 04:51, Suporte - Konntrol wrote: > > Hello everyone, > > > > Greetings. > > > > I got a strange situation with my SQUID 4.1 (FreeBSD 12.2 Stable > > environment). > > > > Everything was working fine with Kerberos configuration and suddenly > > it stopped with the following error: > > > > ==> /var/squid/logs/cache.log <== > > > > negotiate_kerberos_auth.cc(182): pid=85679 :2022/05/20 13:35:43| > > negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No > > credentials were supplied, or the credentials were unavailable or > > inaccessible. No principal in keytab matches desired name > > > > 2022/05/20 13:35:43| negotiate_kerberos_auth: INFO: User not > > authenticated > > > > Judging by the “No principal in keytab matches desired name” message, > > I went immediately to the AD object to check if it was really missing > > the Principal entry. > > > > To my surprise, everything is there. (talking about the > > HTTP/fqdn@REALM entry). > > That error message has a lot of parts. Check the debug trace to see if > you can find out what that "desired name" is for that lookup. It may be > something odd going on there. > > Also, notice the character cases. Sometimes it matters, so best to make > sure they always line up. > > > > > > Also, I checked the contents of my keytab, which looks OK, as it > > contains the HTTP/server01.mydomain.c...@mydomain.corp entry as well. > > > > Additionally, I checked the DNS configuration for the PTR and Reverse > > entries. It looks OK as well. > > > > I have used “net ads join > > createupn=HTTP/server01.mydomain.c...@mydomain.corp -k” commands to > Join > > the Squid machine to Domain, and “net ads keytab create -k” to create a > > keytab. > > > > Also, used the command “net ads keytab add HTTP” to add the HTTP entry > > to the keytab. > > > ... > > > > As I mentioned, that was working for months, then stopped. > > > > IME, this type of sudden delayed breakage usually occurs when there is > some validity period associated with the credentials in the keytab (or > domain controller which created it). There is a disclaimer in the wiki > about the "net ads" under some conditions adding an expiry time. > > < > https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab > > > > Rebuilding the keytab with kinit and msktutil may fix it for you. > > > HTH > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
