Is your kerberos ticket expired?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Is your kerberos ticket expired?

erdosain9
Hi.
All is working fine, but im having this error in the mail of root

------------------------------------------------------------------------------------------------------------------


From [hidden email]  Tue Oct  3 04:00:02 2017
Return-Path: <[hidden email]>
X-Original-To: root
Delivered-To: [hidden email]
Received: by squid.domain.lan (Postfix, from userid 0)
        id 2581F8066D7F; Tue,  3 Oct 2017 04:00:02 -0300 (ART)
From: "(Cron Daemon)" <[hidden email]>
To: [hidden email]
Subject: Cron <root@squid>  msktutil --auto-update --verbose --computer-name
squidproxy-k | logger -t msktutil > /dev/null
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=666>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=es_AR.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[hidden email]>
Date: Tue,  3 Oct 2017 04:00:02 -0300 (ART)

SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.

From [hidden email]  Wed Oct  4 04:00:02 2017
Return-Path: <[hidden email]>
X-Original-To: root
Delivered-To: [hidden email]
Received: by squid.domain.lan (Postfix, from userid 0)
        id 24EC282EEFD7; Wed,  4 Oct 2017 04:00:02 -0300 (ART)
From: "(Cron Daemon)" <[hidden email]>
To: [hidden email]
Subject: Cron <root@squid>  msktutil --auto-update --verbose --computer-name
squidproxy-k | logger -t msktutil > /dev/null
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=701>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=es_AR.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[hidden email]>
Date: Wed,  4 Oct 2017 04:00:02 -0300 (ART)

SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.

From [hidden email]  Thu Oct  5 04:00:02 2017
Return-Path: <[hidden email]>
X-Original-To: root
Delivered-To: [hidden email]
Received: by squid.domain.lan (Postfix, from userid 0)
        id 9B89F8057477; Thu,  5 Oct 2017 04:00:02 -0300 (ART)
From: "(Cron Daemon)" <[hidden email]>
To: [hidden email]
Subject: Cron <root@squid>  msktutil --auto-update --verbose --computer-name
squidproxy-k | logger -t msktutil > /dev/null
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=736>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=es_AR.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[hidden email]>
Date: Thu,  5 Oct 2017 04:00:02 -0300 (ART)

SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.

----------------------------------------------------------------------------------------------------------------------------

[root@squid network-scripts]# systemctl status squid
● squid.service - Squid Web Proxy Server
   Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor
preset: disabled)
   Active: active (running) since vie 2017-09-22 11:17:42 ART; 1 weeks 5
days ago
     Docs: man:squid(8)
  Process: 25024 ExecStop=/usr/sbin/squidshut.sh (code=exited,
status=0/SUCCESS)
  Process: 14166 ExecReload=/usr/sbin/squid -kreconf (code=exited,
status=0/SUCCESS)
  Process: 25048 ExecStart=/usr/sbin/squid -sYC (code=exited,
status=0/SUCCESS)
  Process: 25046 ExecStartPre=/usr/bin/chown squid.squid /var/run/squid
(code=exited, status=0/SUCCESS)
  Process: 25044 ExecStartPre=/usr/bin/mkdir -p /var/run/squid (code=exited,
status=0/SUCCESS)
 Main PID: 4613 (squid)
   CGroup: /system.slice/squid.service
           ├─ 4613 (squid-1) -sYC
           ├─ 4630 (unlinkd)
           ├─ 4631 diskd 4723716 4723717 4723718
           ├─14169 (logfile-daemon) /var/log/squid/access.log
           ├─14170 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14171 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14172 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14173 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14174 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14175 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14176 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14177 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14178 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14179 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14180 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14181 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14182 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14183 (ext_kerberos_ldap_group_acl) -g [hidden email]
           ├─14184 (ext_kerberos_ldap_group_acl) -g [hidden email]
  ├─14185 (negotiate_kerberos_auth) -s HTTP/[hidden email]
           ├─14186 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14187 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14188 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14189 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14190 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14194 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14195 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14196 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14208 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14209 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14210 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14211 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14212 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14213 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14214 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14215 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14216 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14217 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14218 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14219 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14220 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14221 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14222 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14223 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14224 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14225 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14232 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14233 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14247 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14248 (ssl_crtd) -s /var/lib/ssl_db -M 4MB
           ├─14249 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14250 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14251 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14252 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14253 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14254 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           ├─14255 (negotiate_kerberos_auth) -s
HTTP/[hidden email]
           └─25049 /usr/sbin/squid -sYC
oct 05 10:21:21 squid.domain.lan (ext_kerberos_ldap_group_acl)[14175]:
GSSAPI client step 1
oct 05 10:21:21 squid.domain.lan (ext_kerberos_ldap_group_acl)[14175]:
GSSAPI client step 2
oct 05 10:21:42 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 1
oct 05 10:21:42 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 1
oct 05 10:21:42 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 1
oct 05 10:21:42 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 2
oct 05 10:22:41 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 1
oct 05 10:22:41 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 1
oct 05 10:22:41 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 1
oct 05 10:22:41 squid.domain.lan (ext_kerberos_ldap_group_acl)[14180]:
GSSAPI client step 2


------------------------------------------------------------------------------------------------------------------------------------------------------

[root@squid mail]# squidclient mgr:info
HTTP/1.1 200 OK
Server: squid/3.5.20
Mime-Version: 1.0
Date: Thu, 05 Oct 2017 14:12:50 GMT
Content-Type: text/plain;charset=utf-8
Expires: Thu, 05 Oct 2017 14:12:50 GMT
Last-Modified: Thu, 05 Oct 2017 14:12:50 GMT
X-Cache: MISS from squid.domain.lan
X-Cache-Lookup: MISS from squid.domain.lan:3128
Connection: close

Squid Object Cache: Version 3.5.20
Build Info:
Service Name: squid
Start Time: Fri, 29 Sep 2017 15:29:16 GMT
Current Time: Thu, 05 Oct 2017 14:12:50 GMT
Connection information for squid:
        Number of clients accessing cache: 77
        Number of HTTP requests received: 3517870
        Number of ICP messages received: 0
        Number of ICP messages sent: 0
        Number of queued ICP replies: 0
        Number of HTCP messages received: 0
        Number of HTCP messages sent: 0
        Request failure ratio: 0.00
        Average HTTP requests per minute since start: 410.8
        Average ICP messages per minute since start: 0.0
        Select loop called: 105232451 times, 4.883 ms avg
Cache information for squid:
        Hits as % of all requests: 5min: 4.0%, 60min: 7.4%
        Hits as % of bytes sent: 5min: 14.3%, 60min: 15.7%
        Memory hits as % of hit requests: 5min: 33.1%, 60min: 35.3%
        Disk hits as % of hit requests: 5min: 24.6%, 60min: 32.5%
        Storage Swap size: 13824016 KB
        Storage Swap capacity: 90.0% used, 10.0% free
        Storage Mem size: 507084 KB
        Storage Mem capacity: 99.0% used,  1.0% free
        Mean Object Size: 24.56 KB
        Requests given to unlinkd: 3941
Median Service Times (seconds)  5 min    60 min:
        HTTP Requests (All):   0.08265  0.15048
        Cache Misses:          0.24524  0.24524
        Cache Hits:            0.00678  0.00919
        Near Hits:             0.14252  0.16775
        Not-Modified Replies:  0.00000  0.00286
        DNS Lookups:           0.01269  0.02809
        ICP Queries:           0.00000  0.00000
Resource usage for squid:
        UP Time: 513813.916 seconds
        CPU Time: 23337.602 seconds
        CPU Usage: 4.54%
        CPU Usage, 5 minute avg: 20.31%
        CPU Usage, 60 minute avg: 20.81%
        Maximum Resident Size: 6920992 KB
        Page faults with physical i/o: 1572
Memory accounted for:
        Total accounted:       690414 KB
        memPoolAlloc calls: 800654584
        memPoolFree calls:  816579303
File descriptor usage for squid:
        Maximum number of file descriptors:   16384
        Largest file desc currently in use:    822
        Number of file desc currently in use:  643
        Files queued for open:                   0
        Available number of file descriptors: 15741
        Reserved number of file descriptors:   100
        Store Disk files open:                   0
Internal Data Structures:
        563484 StoreEntries
         25823 StoreEntries with MemObjects
         25488 Hot Object Cache Items
        562973 on-disk objects




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is your kerberos ticket expired?

Amos Jeffries
Administrator
On 06/10/17 03:16, erdosain9 wrote:
> Hi.
> All is working fine, but im having this error in the mail of root
>
> ------------------------------------------------------------------------------------------------------------------
>
>
>  From [hidden email]  Tue Oct  3 04:00:02 2017
...
>
> SASL/GSSAPI authentication started
> Error: ldap_sasl_interactive_bind_s failed (Local error)
> Error: ldap_connect failed
> --> Is your kerberos ticket expired? You might try re-"kinit"ing.
>


This is not a Squid problem. It sounds like you have setup your machine
with a dynamically changing Kerberos account.

Please see the documentation for the tools you are using to setup and
manage Kerberos on that machine.

Or perhapse try following the suggestion in that email to replace the
keytab manually.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is your kerberos ticket expired?

dijxie
In reply to this post by erdosain9
W dniu 05.10.2017 o 16:16, erdosain9 pisze:

> Hi.
> All is working fine, but im having this error in the mail of root
>
> ------------------------------------------------------------------------------------------------------------------
>
>
>  From [hidden email]  Tue Oct  3 04:00:02 2017
> Return-Path: <[hidden email]>
> X-Original-To: root
> Delivered-To: [hidden email]
> Received: by squid.domain.lan (Postfix, from userid 0)
> id 2581F8066D7F; Tue,  3 Oct 2017 04:00:02 -0300 (ART)
> From: "(Cron Daemon)" <[hidden email]>
> To: [hidden email]
> Subject: Cron <root@squid>  msktutil --auto-update --verbose --computer-name
> squidproxy-k | logger -t msktutil > /dev/null
> Content-Type: text/plain; charset=UTF-8
> Auto-Submitted: auto-generated
> Precedence: bulk
> X-Cron-Env: <XDG_SESSION_ID=666>
> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
> X-Cron-Env: <LANG=es_AR.UTF-8>
> X-Cron-Env: <SHELL=/bin/bash>
> X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
> X-Cron-Env: <MAILTO=root>
> X-Cron-Env: <HOME=/root>
> X-Cron-Env: <LOGNAME=root>
> X-Cron-Env: <USER=root>
> Message-Id: <[hidden email]>
> Date: Tue,  3 Oct 2017 04:00:02 -0300 (ART)
>
> SASL/GSSAPI authentication started
> Error: ldap_sasl_interactive_bind_s failed (Local error)
> Error: ldap_connect failed
> --> Is your kerberos ticket expired? You might try re-"kinit"ing.
>
>  From [hidden email]  Wed Oct  4 04:00:02 2017
> Return-Path: <[hidden email]>
> X-Original-To: root
> Delivered-To: [hidden email]
> Received: by squid.domain.lan (Postfix, from userid 0)
> id 24EC282EEFD7; Wed,  4 Oct 2017 04:00:02 -0300 (ART)
> From: "(Cron Daemon)" <[hidden email]>
> To: [hidden email]
> Subject: Cron <root@squid>  msktutil --auto-update --verbose --computer-name
> squidproxy-k | logger -t msktutil > /dev/null
> Content-Type: text/plain; charset=UTF-8
> Auto-Submitted: auto-generated
> Precedence: bulk
> X-Cron-Env: <XDG_SESSION_ID=701>
> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
> X-Cron-Env: <LANG=es_AR.UTF-8>
> X-Cron-Env: <SHELL=/bin/bash>
> X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
> X-Cron-Env: <MAILTO=root>
> X-Cron-Env: <HOME=/root>
> X-Cron-Env: <LOGNAME=root>
> X-Cron-Env: <USER=root>
> Message-Id: <[hidden email]>
> Date: Wed,  4 Oct 2017 04:00:02 -0300 (ART)
>
> SASL/GSSAPI authentication started
> Error: ldap_sasl_interactive_bind_s failed (Local error)
> Error: ldap_connect failed
> --> Is your kerberos ticket expired? You might try re-"kinit"ing.
>
>  From [hidden email]  Thu Oct  5 04:00:02 2017
> Return-Path: <[hidden email]>
> X-Original-To: root
> Delivered-To: [hidden email]
> Received: by squid.domain.lan (Postfix, from userid 0)
> id 9B89F8057477; Thu,  5 Oct 2017 04:00:02 -0300 (ART)
> From: "(Cron Daemon)" <[hidden email]>
> To: [hidden email]
> Subject: Cron <root@squid>  msktutil --auto-update --verbose --computer-name
> squidproxy-k | logger -t msktutil > /dev/null
> Content-Type: text/plain; charset=UTF-8
> Auto-Submitted: auto-generated
> Precedence: bulk
> X-Cron-Env: <XDG_SESSION_ID=736>
> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
> X-Cron-Env: <LANG=es_AR.UTF-8>
> X-Cron-Env: <SHELL=/bin/bash>
> X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
> X-Cron-Env: <MAILTO=root>
> X-Cron-Env: <HOME=/root>
> X-Cron-Env: <LOGNAME=root>
> X-Cron-Env: <USER=root>
> Message-Id: <[hidden email]>
> Date: Thu,  5 Oct 2017 04:00:02 -0300 (ART)
>
> SASL/GSSAPI authentication started
> Error: ldap_sasl_interactive_bind_s failed (Local error)
> Error: ldap_connect failed
> --> Is your kerberos ticket expired? You might try re-"kinit"ing.
>
> ----------------------------------------------------------------------------------------------------------------------------
>
> [root@squid network-scripts]# systemctl status squid
> ● squid.service - Squid Web Proxy Server
>     Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor
> preset: disabled)
>     Active: active (running) since vie 2017-09-22 11:17:42 ART; 1 weeks 5
> days ago
>       Docs: man:squid(8)

<cut>

If you are using sssd (default in RHEL, CentOS)  you might be partially
affected  by this bug:

https://bugs.freedesktop.org/show_bug.cgi?id=100118

be aware that sssd updates AD domain password (every 28 days AFAIR) ;
you might want to disable it. If you have winbind istalled, check wbinfo -tP

--
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is your kerberos ticket expired?

erdosain9
In reply to this post by Amos Jeffries
Hi.
I follow this guide

https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

But, i dont know where put this

Add the following configuration to /etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME

i dont have that file /etc/default/squid3

Squid is installed on Centos 7.

/usr/lib/systemd/system/squid.service


[Unit]
Description=Squid Web Proxy Server
Documentation=man:squid(8)
After=network.target

[Service]
Type=forking
LimitNOFILE=16384
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/bin/mkdir -p /var/run/squid
ExecStartPre=/usr/bin/chown squid.squid /var/run/squid
ExecStart=/usr/sbin/squid -sYC
ExecReload=/usr/sbin/squid -kreconf
ExecStop=/usr/sbin/squidshut.sh
TimeoutStopSec=36
KillMode=none


[Install]
WantedBy=multi-user.target

Thanks to all.
~                                                                                                                                                    
~                            



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is your kerberos ticket expired?

erdosain9
Sorry, i found where
/etc/sysconfig/squid

And was good, already have that config, so i dont know why is failing.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users