Centos7, Squid 3.5.

Squid cannot find the keytab file, which is located in the /etc/squid/proxy.keytab directory. The cache.log text is:

negotiate_kerberos_auth.cc(487): pid=10259 :2018/07/10 16:48:02| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq 2018/07/10 16:48:02 kid1| Starting new negotiateauthenticator helpers... 2018/07/10 16:48:02 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes negotiate_kerberos_auth.cc(546): pid=10258 :2018/07/10 16:48:02| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab negotiate_kerberos_auth.cc(75): pid=10258 :2018/07/10 16:48:02| negotiate_kerberos_auth: ERROR: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found 2018/07/10 16:48:02| negotiate_kerberos_auth: ERROR: krb5_kt_start_seq_get: Key table file '/etc/krb5.keytab' not found negotiate_kerberos_auth.cc(75): pid=10258 :2018/07/10 16:48:02| negotiate_kerberos_auth: ERROR: krb5_read_keytab failed: Key table file '/etc/krb5.keytab' not found 2018/07/10 16:48:02| negotiate_kerberos_auth: ERROR: krb5_read_keytab: Key table file '/etc/krb5.keytab' not found negotiate_kerberos_auth.cc(556): pid=10258 :2018/07/10 16:48:02| negotiate_kerberos_auth: ERROR: Reading keytab FILE:/etc/krb5.keytab into list failed

T. How to tell Squid what file to look for there? You can of course put the file in / etc, like krb5.keytab, but still? Thank.

  • I apologize, but I don’t see the mentioned part of the log mentioning proxy.keytab - Justicet
  • Well, yes, Squid is looking for it in /etc/krb5.keytab - Slaine
  • We need to reconsider the sample configuration files: what do they say? - Justicet
  • Justicet, figured out, it was necessary to fix krb5.conf. - Slaine
  • So that's great! As always, be more attentive to the examples in .confs and everything will be fine ;-) - Justicet

2 answers 2

For these settings, the /etc/sysconfig/squid has a special file: /etc/sysconfig/squid .

In which you need to add the following:

 KRB5RCACHETYPE=none export KRB5RCACHETYPE KRB5_KTNAME=/etc/squid/proxy.keytab export KRB5_KTNAME

To edit the "system-wide" krb5.conf file for one service is not very good. What if on this server you have to raise another kerberos service that reads a squid keytab?

  • > What if on this server you have to raise another kerberos service that reads a squid keytab? I also thought about it. Thank. - Slaine

It is necessary in krb5.conf to make an entry default_keytab_name = /etc/squid/proxy.keytab Then it will look for the file there.