Debug Squid Kerberos authentication

In case the Kerberos Squid authentication does not work, here are some basic tests.

Check filesystem permissions

The user proxy must be able to access the keytab file /var/lib/samba/private/http-proxy-$(hostname).keytab.

Check the keytab

root@master431:~# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab HTTP/$(hostname -f)
root@master431:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: HTTP/master431.deadlock43.intranet@DEADLOCK43.INTRANET

  Issued                Expires               Principal
Mar 14 18:35:18 2018  Mar 15 04:35:18 2018  krbtgt/DEADLOCK43.INTRANET@DEADLOCK43.INTRANET
root@master431:~# 

Maybe the behaviour changed here:

root@slave-sun:~# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)
root@slave-sun:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: http-proxy-slave-sun@SCHEIN.ME

  Issued                Expires               Principal
Aug 16 17:12:27 2019  Aug 17 03:12:27 2019  krbtgt/SCHEIN.ME@SCHEIN.ME

If you get a password incorrect here:

root@master:~# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)
kinit: Password incorrect
  • You can try to rerun the joinscript:
    univention-run-join-scripts --force --run-scripts 98univention-squid-samba4.inst
    If this is not working with:
ERR: (Failed to update keytab from entry samAccountName=http-proxy-slave-sun,CN=Principals in /var/lib/samba/private/secrets.ldb: No saltPrincipal provided) on transaction commit
Modify failed after processing 1 records
  • You can recreate the the keytab
root@master:~/univention-support# keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab
root@master:~/univention-support# mv $keytab $keytab.$(date '+%Y%m%d%H%M%S')

samba-tool domain exportkeytab $keytab --principal HTTP/$(hostname).$(ucr get domainname)
kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)

samba-tool domain exportkeytab $keytab --principal http-proxy-$(hostname)

service squid restart

or an other option, you delete the http-proxy-$(hostname) user

root@slave-sun:~# udm users/user delete --dn=uid=http-proxy-slave-sun,cn=users,$(ucr get ldap/base)

and also delete it from samba:

root@slave-sun:~# ldbdel -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-slave-sun,CN=Principals

Then everthing shoulb re recreated with running

root@slave-sun:~# univention-run-join-scripts --force --run-scripts 98univention-squid-samba4.inst
root@slave-sun:~# service squid restart

If you get an unknown enctype

kinit: krb5_init_creds_set_keytab: Failed to find http-proxy-slave-sun@SCHEIN.ME in keytab FILE:/var/lib/samba/private/http-proxy-slave-sun.keytab (unknown enctype)

You should also recreate the keytab with the samba-tool command above

Check the KRB5_KTNAME configuration

root@master431:~# grep KRB5_KTNAME /etc/default/squid 
KRB5_KTNAME="/var/lib/samba/private/http-proxy-master431.keytab"
export KRB5_KTNAME
root@master431:~# 

Is the UCR variable squid/krb5auth set to yes?

root@master431:~# ucr get squid/krb5auth
yes
root@master431:~# 

Perform a manual kerberos logon at squid

First, as testuser:

$ su - testuser
$ kinit
 → Enter password
$ /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f)
  → then you should get something like 'Token: .....'.
$ exit

Afterwards, as root:

$ KRB5_KTNAME=/var/lib/samba/private/http-proxy-$(hostname).keytab
$ export KRB5_KTNAME
$ /usr/lib/squid/negotiate_kerberos_auth -d
 → then please enter "YR " followed by the token
 → press \<CTRL\>-D

For example:

root@master431:~# su - stefan
stefan@master431:~$ kinit
stefan@DEADLOCK43.INTRANET's Password: 
stefan@master431:~$ /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f)
Token: YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=
stefan@master431:~$ exit
Abgemeldet
root@master431:~# KRB5_KTNAME=/var/lib/samba/private/http-proxy-$(hostname).keytab
root@master431:~# export KRB5_KTNAME
root@master431:~# /usr/lib/squid/negotiate_kerberos_auth -d
negotiate_kerberos_auth.cc(487): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Setting keytab to /var/lib/samba/private/http-proxy-master431.keytab
negotiate_kerberos_auth.cc(570): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_25736
YR YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=
negotiate_kerberos_auth.cc(610): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=' from squid (length: 1883).
negotiate_kerberos_auth.cc(663): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Decode 'YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=' (decoded length: 1409).
negotiate_kerberos_pac.cc(376): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Got PAC data of lengh 456
negotiate_kerberos_pac.cc(180): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Found 1 rids
negotiate_kerberos_pac.cc(188): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(256): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1415230736-3466347602-1585201122
negotiate_kerberos_pac.cc(456): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Read 452 of 456 bytes 
negotiate_kerberos_auth.cc(778): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAELVaVFJEnM7iP3xeAQIAAA==
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== stefan@DEADLOCK43.INTRANET
negotiate_kerberos_auth.cc(783): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== stefan@DEADLOCK43.INTRANET
BH input error
root@master431:~# 

Check the UCR squid template

root@server:~# univention-check-templates  2>&1 | grep -i squid
/etc/univention/templates/files/etc/squid/squid.conf
root@server:~# 

In this case, a test should be performed with the original template, for example:

 cd /etc/univention/templates/files/etc/squid/
 cp squid.conf squid.conf_modified_template
 cp squid.conf-old squid.conf
 ucr commit /etc/squid/squid.conf
 /etc/init.d/squid restart

Check the Kerberos and DNS settings

Especially in a school environment it should be checked if the correct DNS and Kerberos server is used. If Squid is started on a school DC, the school DC should be used as DNS and Kerberos server.