Fixing Kerberos Authentication Errors in Squid with Active Directory
To effectively troubleshoot Kerberos problems in Squid, enable detailed logging. In squid.conf, add:
debug_options ALL,1 33,2 28,2 50,2 # authentication, ACL, DNS
Sections: 33 — authentication, 28 — ACL, 50 — DNS, 84 — external ACL helpers. Levels range from 0 (critical errors) to 9 (full dump).
Configure log output:
access_log stdio:/opt/squid/var/log/squid/access.log
cache_log stdio:/opt/squid/var/log/squid/cache.log
This captures GSS-API and Negotiate authentication details for analysis.
'Bad Encryption Type' Error in GSS
Log shows:
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message=gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Bad encryption type }}
Cause: Client-side TGS tickets are cached using an outdated key, which Squid cannot decrypt.
Fix Steps on PDC Emulator
- Identify the PDC emulator:
Get-ADDomain | Select-Object PDCEmulator
- Check and remove old SPNs:
setspn -L squid
setspn -D HTTP/testSquidPc.domain.ru userAD
- Reset the
userADpassword in Active Directory.
- Generate a new keytab:
ktpass /princ HTTP/[email protected] /mapuser [email protected] /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass password /out C:\squid.keytab
- Force replication:
repadmin /syncall /AdeP
On the Squid Server
systemctl stop squid
chown proxy:proxy /opt/squid/etc/squid.keytab
chmod 600 /opt/squid/etc/squid.keytab
klist -kte /opt/squid/etc/squid.keytab
On the Client
klist purge
Restart Squid with systemctl start squid. This bypasses the typical 10–24 hour replication delay.
'Service Key Not Available' Error
Log entry:
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message=gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Service key not available }}
Common causes:
- Mismatched KVNO (Key Version Number) between AD and keytab.
- SPN mismatch (FQDN vs short name).
Check KVNO
On Squid:
klist -kte /opt/squid/etc/squid.keytab
Output displays KVNO, etype, and principal.
On Domain Controller (PowerShell):
Get-ADUser -Identity "userAD" -Properties msDS-KeyVersionNumber | Select-Object msDS-KeyVersionNumber
When running ktpass, use /vno <number> to align KVNOs.
Test the Keytab
sudo -u proxy kinit -kt /opt/squid/etc/squid.keytab HTTP/testSquidPc.domain.ru
Success means no output; issues likely stem from Squid helper startup.
Common etype values in keytab:
- aes256-cts-hmac-sha1-96
- aes128-cts-hmac-sha1-96
- arcfour-hmac (legacy)
Configure Encryption in krb5.conf
For 'Bad encryption type' errors, synchronize enctypes in /etc/krb5.conf:
[libdefaults]
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
Avoid allow_weak_crypto = true. Specify exact AES types only. Verify keytab does not contain deprecated DES or RC4.
ICMP Pinger Error
Log:
pinger| Open icmp_sock: (1) Operation not permitted
ERROR: Unable to start ICMP pinger.
FATAL: Unable to open any ICMP sockets.
Solution: Grant raw socket permissions:
setcap cap_net_raw+ep /opt/squid/libexec/pinger
Restart Squid.
Key Takeaways
- Enable
debug_options 33,2for deep authentication tracing. - Sync KVNO between keytab and AD using
ktpass /vnoandrepadmin /syncall. - Clear client tickets with
klist purge. - Set
/etc/krb5.confto use AES256; disable weak crypto. - For ICMP: run
setcap cap_net_raw+epon the pinger binary.
— Editorial Team
No comments yet.