In case the Kerberos Squid authentication does not work, here are some basic tests.
Check filesystem permissions
The user proxy must be able to access the keytab file /var/lib/samba/private/http-proxy-$(hostname).keytab.
Check the keytab
root@slave-sun:~# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)
root@slave-sun:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: http-proxy-slave-sun@SCHEIN.ME
Issued Expires Principal
Aug 16 17:12:27 2019 Aug 17 03:12:27 2019 krbtgt/SCHEIN.ME@SCHEIN.ME
If you get a password incorrect here:
root@master:~# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)
kinit: Password incorrect
- You can try to rerun the joinscript:
univention-run-join-scripts --force --run-scripts 98univention-squid-samba4.inst
If this is not working with:
ERR: (Failed to update keytab from entry samAccountName=http-proxy-slave-sun,CN=Principals in /var/lib/samba/private/secrets.ldb: No saltPrincipal provided) on transaction commit
Modify failed after processing 1 records
- You can recreate the the keytab
root@master:~/univention-support# keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab
root@master:~/univention-support# mv $keytab $keytab.$(date '+%Y%m%d%H%M%S')
samba-tool domain exportkeytab $keytab --principal HTTP/$(hostname).$(ucr get domainname)
kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab http-proxy-$(hostname)
samba-tool domain exportkeytab $keytab --principal http-proxy-$(hostname)
chown proxy:proxy /var/lib/samba/private/http-proxy-$(ucr get hostname).keytab
service squid restart
or an other option, you delete the http-proxy-$(hostname) user
root@slave-sun:~# udm users/user delete --dn=uid=http-proxy-$(hostname),cn=users,$(ucr get ldap/base)
and also delete it from samba:
root@slave-sun:~# ldbdel -H /var/lib/samba/private/secrets.ldb samAccountName=http-proxy-$(hostname),CN=Principals
Then everything should re recreated with running
root@slave-sun:~# univention-run-join-scripts --force --run-scripts 98univention-squid-samba4.inst
root@slave-sun:~# service squid restart
If you get an unknown enctype
kinit: krb5_init_creds_set_keytab: Failed to find http-proxy-slave-sun@SCHEIN.ME in keytab FILE:/var/lib/samba/private/http-proxy-slave-sun.keytab (unknown enctype)
You should also recreate the keytab with the samba-tool command above
Check the KRB5_KTNAME configuration
root@master431:~# grep KRB5_KTNAME /etc/default/squid
KRB5_KTNAME="/var/lib/samba/private/http-proxy-master431.keytab"
export KRB5_KTNAME
root@master431:~#
Is the UCR variable squid/krb5auth set to yes?
root@master431:~# ucr get squid/krb5auth
yes
root@master431:~#
Perform a manual kerberos logon at squid
First, as testuser:
$ su - testuser
$ kinit
→ Enter password
$ /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f)
→ then you should get something like 'Token: .....'.
$ exit
Afterwards, as root:
$ KRB5_KTNAME=/var/lib/samba/private/http-proxy-$(hostname).keytab
$ export KRB5_KTNAME
$ /usr/lib/squid/negotiate_kerberos_auth -d
→ then please enter "YR " followed by the token
→ press \<CTRL\>-D
For example:
root@master431:~# su - stefan
stefan@master431:~$ kinit
stefan@DEADLOCK43.INTRANET's Password:
stefan@master431:~$ /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f)
Token: YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=
stefan@master431:~$ exit
Abgemeldet
root@master431:~# KRB5_KTNAME=/var/lib/samba/private/http-proxy-$(hostname).keytab
root@master431:~# export KRB5_KTNAME
root@master431:~# /usr/lib/squid/negotiate_kerberos_auth -d
negotiate_kerberos_auth.cc(487): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Setting keytab to /var/lib/samba/private/http-proxy-master431.keytab
negotiate_kerberos_auth.cc(570): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_25736
YR YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=
negotiate_kerberos_auth.cc(610): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=' from squid (length: 1883).
negotiate_kerberos_auth.cc(663): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Decode 'YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=' (decoded length: 1409).
negotiate_kerberos_pac.cc(376): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Got PAC data of lengh 456
negotiate_kerberos_pac.cc(180): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Found 1 rids
negotiate_kerberos_pac.cc(188): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(256): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1415230736-3466347602-1585201122
negotiate_kerberos_pac.cc(456): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Read 452 of 456 bytes
negotiate_kerberos_auth.cc(778): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAELVaVFJEnM7iP3xeAQIAAA==
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== stefan@DEADLOCK43.INTRANET
negotiate_kerberos_auth.cc(783): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== stefan@DEADLOCK43.INTRANET
BH input error
root@master431:~#
Check the UCR squid template
root@server:~# univention-check-templates 2>&1 | grep -i squid
/etc/univention/templates/files/etc/squid/squid.conf
root@server:~#
In this case, a test should be performed with the original template, for example:
cd /etc/univention/templates/files/etc/squid/
cp squid.conf squid.conf_modified_template
cp squid.conf-old squid.conf
ucr commit /etc/squid/squid.conf
/etc/init.d/squid restart
Check the Kerberos and DNS settings
Especially in a school environment it should be checked if the correct DNS and Kerberos server is used. If Squid is started on a school DC, the school DC should be used as DNS and Kerberos server.
Check on commandline via curl
curl -vvv --proxy-user username:password --proxy "http://$(hostname -f):3128" --proxy-negotiate http://www.google.de
Check using the proxy user
root@server:~# sudo -u proxy /usr/lib/squid/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm --debug --debug-file /tmp/krb5.log
2022/10/18 17:58:59| negotiate_kerberos_auth: ERROR: krb5_kt_start_seq_get: Permission denied
2022/10/18 17:58:59| negotiate_kerberos_auth: ERROR: krb5_read_keytab: Permission denied
or
root@server:~# sudo -u proxy ls -lha /var/lib/samba/private/http-proxy-$(ucr get hostname).keytab
ls: Zugriff auf '/var/lib/samba/private/http-proxy-server.keytab' nicht möglich: Keine Berechtigung
If you get something like this, check also the filepermissions on the parent directory.