Understanding scenarios where Kerberos authentication fails.

General Information about how to make best use of this forum
India Pratik
Posts: 25
Joined: Fri Jun 10, 2022 7:15 am

Understanding scenarios where Kerberos authentication fails.

Post by Pratik » Wed Dec 07, 2022 7:40 am

User authentication in SafeSquid is required for granular and user/group based policy configurations.
Kerberos provides a centralized authentication server whose function is to authenticate users to SafeSquid.
The Kerberos Authentication mechanism identifies a user that has already "logged" or "signed" into the Network Domain
The mechanism requires the applications such as the Internet Browsers employed by the users to provide the credentials without interactive prompts.
Kerberos encrypts passwords before transmitting it and once you and the server have proved your identities to each other, Kerberos uses secret-key cryptography to secure the rest of your communications.
However, there are situations where Kerberos authentication breaks
You can encounter problems such are popups for user authentication, connection to proxy server failed.
Below are few such cases.
To troubleshoot issues related to Kerberos search for the string "Kerberos" in SafeSquid’s native log

Code: Select all

less /var/log/safesquid/native/safesquid.log
Case#1: when /tmp directory is full – (Failed to write FILE credential data)

For situations where you find similar output in SafeSquid’s native log which mentions "Failed to write FILE credential data"

Code: Select all

Non-authoritative answer:
Name:   ad.safesquid.lab
Address: 10.102.1.10

kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kinit: krb5_init_creds_store: Failed to write FILE credential data
kerberos : kerberos : /usr/bin/kinit: failed
kerberos : kinit: failed]
[LDAP Cache Manager] ldap: debug: init_routine_unlocked:368 connection not exists in pool for domain safesquid.lab
[SqScan Updater] header: debug: header_get_reconnect:1055 timeout(75) swgupdates.safesquid.net 10.102.1.13:26053 ENOTCONN:0 swgupdates.safesquid.net
[Image Scanner Setup] header: debug: header_get_reconnect:1055 timeout(75) swgupdates.safesquid.net 10.102.1.13:20053 ENOTCONN:0 swgupdates.safesquid.net
[SSqore Setup] header: debug: header_get_reconnect:1055 timeout(75) swgupdates.safesquid.net 10.102.1.13:12117 ENOTCONN:0 swgupdates.safesquid.net
[LDAP Cache Manager] ldap: debug: get_ld:1327 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
[Content Magic Setup] header: debug: response headers from swgupdates2.safesquid.net 10.102.1.13:22041 161.35.135.35:443:
Validate the total space left in your /tmp directory.

Code: Select all

df -kh /tmp
/tmp directory has no space left to create new file.
kinit is unable to generate Kerberos credential cache file.
Slide1.JPG
Slide1.JPG (34.23 KiB) Viewed 6327 times
Solution for this problem is to clean and free some space in /tmp directory.
Easiest way and recommended way to clean /tmp directory is to reboot the host system, because of which /tmp directory will create some free space.
For users you have manually create free space in /tmp directory
restart your safesquid service.

Code: Select all

/etc/init.d/monit stop; /etc/init.d/safesquid stop; /etc/init.d/monit start
Now validate your Kerberos SSO.

Code: Select all

proxy.safesquid.lab has address 10.102.1.12
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/master.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab 			--computer-name master --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password:  Characters read from /dev/urandom = 82
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-MC77ea
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy$
 -- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-YFsU4o
 -- finalize_exec: Authenticated using method 1
 -- LDAPConnection: Connecting to LDAP server: ad.safesquid.lab
Kerberos SSO will now work as intended.

Case#2 HTTP.keytab file not found. - (Authenticated using method 5)

A keytab is a file containing pairs of Kerberos principals and encrypted keys that are derived from the Kerberos password.
A common scenario where HTTP.keytab file can not be preset at the time of Kerberos initialization is when HTTP.keytab file are removed or missing.
Slide3.JPG
Slide3.JPG (73.89 KiB) Viewed 6327 times

Removed HTTP.keytab and HTTP.keytab.<doamin> will re-generate when SafeSquid restarts.
Slide2.JPG
Slide2.JPG (86.72 KiB) Viewed 6327 times
Because of the missing HTTP.keytab, Authentication using keytab fails and kinit uses authentication method 5.
Validating the logs.

Code: Select all

kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --create --verbose --base CN=COMPUTERS --service HTTP/proxy.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name proxy --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 82
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-nAQP2W
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: proxy$
 -- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for PROXY$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/proxy.safesquid.lab from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for proxy$ with password.
 -- create_default_machine_password: Default machine password for proxy$ is proxy
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown code krb5 24)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
Trying to access https://safesquid.cfg/

Code: Select all

security: warn: GSS_AUTH::validate_security_credentials gss_accept_sec_context: `u<84>^E
security: error: Kerberos: converting oid->string:150 failed:  A token was invalid. unknown mech-code 0 for mech unknown
security: error: Kerberos: gss_accept_sec_context():213 failed:  A token was invalid. unknown mech-code 0 for mech unknown
security: error: [IP:10.102.1.100] try_kerberos_authentication:490 could not validate: Negotiate oYIG9jCCBvKgAwoBAaKCBukEggblYIIG4QYJKoZIhvcSAQICAQBuggbQMIIGzKADAgEFoQMCAQ6iBwMFACAAAACjggT5YYIE9TCCBPGgAwIBBaEPGw1TQUZFU1FVSUQuTEFCoiYwJKADAgECoR0wGxsESFRUUBsTcHJveHkuc2FmZXNxdWlkLmxhYqOCBK8wggSroAMCARKhAwIBPaKCBJ0EggSZl84YSH2U6/APH/4DJICnPuuAhweGzg5eCPtb9Mhv4fyF88hOzT56J8T5tG1VRAVRp3cMA2IP2MVOikuQwtRW6RSDP+q2NoJeCqqiRCSCYyFrQZorr0O3kkYhiLIkhNwGbfTxDE+Jx6YNVRDa9EihCqeiw0lOPcUTcfsSHnAwlX2tpl+83XyDRSDl2mOhNWOqb+4VrVUyIaXw0Iu24LcV57gTVKEjnS8YH3kotr9yy3x7dQhp3KFfF7njk5gjAyB4YcF3IZpidbxJtm0zQZfccp8b+83vPkpZNcYYE88v7iHg372gw3qvuhtEnE11VFxOQOEsPNt7SxW8ynqy3WHVMDpikxlZCyrr8LzqdxspN3HGIqqB6tS6+265KkuNQejvat9xHkYWJND1Id7QmsTRVoPVPQ0urQttyFWooyC+uDIUkahYM45pUQBto388tbJPN1q3ML8tQmQVpaHWiUKewnIcgwrh4OSNd1rdMMIk9NeGfLDzmEcRhDJaMlLrgtzowhzYxweUuxCwBo8i26kx18mq5pO8RQmFYsDa8meRBBosRlL1FRsa5xnzIqSJ4xe00i29+B18+e1GYCs3B2JNFEkVztcXMu9Q81iQjlWjVmrzVqzosA8bBRUs4MDrMkTqtS4qlcu53evSDJEDEih1cQmlcRPohberxCUXhNF03F4Sik70OqAuzBvv1CgNDWKg6y7zJzlz+LrWMcDqBQh4Fz3Tu4+LEeZ2OgvQh8YHLOKRRBaTsoDbpXuCDJ1Op+hof6htlpNXt+xqpjwCSWBjLvJ5ma7qLdBZXxvoBBgCo5vymi3S6gfDRzwz417LKqM49+pWol4COPRCJJzg8oYDZVfGhOBgUfFi4AAEZjWA3safDdIA3QwtuOZZ9dLnd6CwaxW4uBW+p6ILeQzFjNhtshKIjIaCLaLLA5nmbSsld1sStCH8ZoprgMhtDMWw1owW+sOLvfwWLt4ABic92nRVw2F1b1qRL96R2mLdtOSccPJmlq0lq6+9G1yRnPSrJiF0qI3SVvV5TMtvoG188yn0qEaWB9lZA6geI1kMFuXfyQ6gDWYJAEt5Lc1TxgJ/LFlTc4h9kcGbtli4KJ3fIvAfOC6dClSmSa61LUYT+0Rj8L2OXCT8VEO/7EabM/88vVhMXHY/uCKdI6UZt/ik533M2miuWcgpXMMARZ61fuQewH5/iKnYX94RSWYd4zKzqCwDdEFk2te5Zfwly1XN0SjYPrx64tSLIn0WOuGL0XDYWv4vi6TtEsGSUEOD3aXd+h17RwQ+hhvS3McFVoo+CO5CTRpqvV4hJloBr5UzPzFtdTh88i5rTQXShHKZnOSEkoGXarE7kBFeo1M3dmTXbxnhtTsCvfJMem2STpDCXwUh32v66UrhlX6tlncr7H1LZYvYEwQYhpiTcHkDWCtoheBGYKZaxehDWWfGD6f+0tPPP7KeTwjSN7EwPICPv+6gwWdm7S3KTN0C9bLDCq5AcvUHzniGSK77LVGbyPewFreZuVJlOs7U1bWcXw+9D9l4uvGdFvcwMlrEsEe2n6MehsaqSCAbgwggG0oAMCARKiggGrBIIBp4UnIs1hwwMSw2Opw81nuJT6T85lFjPM4w3PqivH9qWL12Rn9WK2t7NTXziHkzlSThjznLXmX+bHgsxB/dWkmObcD+i6twlSACEV8EY3x2rMpp18MQm2Vl1+WKAdWpAmsSoZ8hbnZ1Q+v0uIheelx2ILXZQRA98Xiwk6yh9fxwKmudSO5UuSqYFT6ePcCdIkSgFiX+isXn62TUs6FwXNVgwie12db7AY4gOAF3/fkwq5lEJRLNxk1klI7muT7KqrcuQqEqb1vIZDA4OsrxRyDLJwtI7u1sYDZCG+MnbYvLnNGphvnbAnM/LkBEq+9YmJP58ka3bWswcRKUsinDUXY8D6v3zamrwg54E8FL9inClfxNpjA11KZcwXM3iYTlPEz8amW7VUhlCXbKcS1GGw970qvln7QUxlXdFnAaQlZo3gLeuLPYXcW9pNmPII6cQV0ZkQHXmBOS6tnP+oHIYOftKbydgDv5ib2y4OT0qZaUilg6+L95Cd7eo9+cvmVs0W+gOsOeC4i3nwRcSaKBsn6zOfIZl0kWDKycLsq9V1+1aHSzATEbQ==
security: warn: cannot attempt alternate authentication to safesquid.auth.service
header: debug: url_command_extract:168 connection: HTTP_CONNECT
header: debug: header_send: client 10.102.1.12:8080 10.102.1.100:52613
HTTP/1.1 407 Proxy Authentication Required
To fix this issue, restart your SafeSquid service.

Code: Select all

/etc/init.d/monit stop; /etc/init.d/safesquid stop; /etc/init.d/monit start

Code: Select all

kerberos :
#############
kerberos : KRB5_CONFIG: /usr/local/safesquid/security/krb5.conf
kerberos : KRB5_KTNAME: /usr/local/safesquid/security/HTTP.keytab
kerberos : AD_FQDN: ad.safesquid.lab
kerberos : CHECK_CONNECTIVITY: ad.safesquid.lab
ad.safesquid.lab has address 10.102.1.10
kerberos : kerberos : LDAP_USER: administrator
kerberos : AD_DOMAIN: safesquid.lab
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ad.safesquid.lab
Address: 10.102.1.10

kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/proxy.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name proxy --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 81
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-eawnX7
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: proxy$
 -- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-YiRakL
 -- finalize_exec: Authenticated using method 1
 -- LDAPConnection: Connecting to LDAP server: ad.safesquid.lab
SASL/GSSAPI authentication started
SASL username: proxy$@SAFESQUID.LAB
Or
Log out of your windows user account and then log back in.
Once your have logged back in, validate kerberos SSO

Code: Select all

security: debug: GSS_AUTH::validate_security_credentials gss_accept_sec_context: <A0><8F>}3<95>^?
security: debug: validate_security_credentials:207 authenticated Administrator@SAFESQUID.LAB	oYG2MIGzoAMKAQChCwYJKoZIgvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuHgAO3YmLGD7tcILX4HGnfIzWAfbS5IE1aOCSuFy6pklup8B/sLpAbyXPgdfEkCCPwCBoUJQE8aUHLGQ0Bh0tJV36nPwOZP2tyrETkwPo5fAd8ULxs1fgHzjowjKo8T9jRlY79C3XdnnIP3f/0Qc=
security: [IP:10.102.1.100] kerberos: Negotiate:1 Administrator@SAFESQUID.LAB authenticated
ldap: debug: set_dn:1162 ip:[10.102.1.100] user:[ADMINISTRATOR@SAFESQUID.LAB] DN:[CN=Administrator,CN=Users,DC=safesquid,DC=lab] Groups:[CN=Administrators CN=Builtin DC=safesquid DC=lab,CN=Domain Admins CN=Users DC=safesquid DC=lab,CN=Enterprise Admins CN=Users DC=safesquid DC=lab,CN=Group Policy Creator Owners CN=Users DC=safesquid DC=lab,CN=Schema Admins CN=Users DC=safesquid DC=lab,CN=Users DC=safesquid DC=lab,ADMINISTRATOR@SAFESQUID.LAB]
profiles: Access Restrictions: Added Profile: Master User
Authentication now should proceed seamlessly.

Case#3 Using custom hostname in Windows Active Directory for DNS pointing

When using multiple instances of SafeSquid to achieve high availability (HA) using DNS round robin.
You are required to configure active directories DNS entry to have a common FQDN which point to multiple instances of proxy servers using IP address.
For example: proxy.safesquid.lab 10.102.0.1 & proxy.safesquid.lab 10.102.1.12
For this to work you need to set the hostname of the proxy server as your FQDN – proxy.safesquid.lab
In case where the hostname does not match with the DNS entry in your active directory, kerbreos authentication will fails.

Code: Select all

kerberos :
#############
kerberos : KRB5_CONFIG: /usr/local/safesquid/security/krb5.conf
kerberos : KRB5_KTNAME: /usr/local/safesquid/security/HTTP.keytab
kerberos : AD_FQDN: ad.safesquid.lab
kerberos : CHECK_CONNECTIVITY: ad.safesquid.lab
ad.safesquid.lab has address 10.102.1.10
kerberos : kerberos : LDAP_USER: administrator
kerberos : AD_DOMAIN: safesquid.lab
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ad.safesquid.lab
Address: 10.102.1.10

kerberos : MY_FQDN: slave.safesquid.lab
kerberos : CHECK_CONNECTIVITY: slave.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

Host slave.safesquid.lab not found: 3(NXDOMAIN)
kerberos : kerberos : lookup: failed MY_FQDN: slave.safesquid.lab
kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/slave.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name slave --upn HTTP/slave.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 89
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-qhDbf9
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: slave$
 -- try_machine_keytab_princ: Trying to authenticate for slave$ from local keytab...
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-u9mQXO
 -- finalize_exec: Authenticated using method 1
 -- LDAPConnection: Connecting to LDAP server: ad.safesquid.lab
To resolve such issue, you are required to update hostname of your proxy server to a common FQDN.
Update your hostname.

Code: Select all

hostnamectl set-hostname <proxy FQDN>
Validate if hostname has been modified.

Code: Select all

hostname -f 
Delete krb.tkt krb5.conf http.keytab http.keytab.<domain> files from /usr/local/safesquid/security folder.
Screenshot 2022-12-26 172622.jpg
Screenshot 2022-12-26 172622.jpg (71.09 KiB) Viewed 6247 times
Update hostname from SafesSquid's web intreface -> Support -> Startup Parameters.
Slide5.jpg
Slide5.jpg (147.5 KiB) Viewed 6309 times
Now restart your proxy service.
Slide6.jpg
Slide6.jpg (144.38 KiB) Viewed 6307 times
validating from SafeSquid's native logs.

Code: Select all

less /var/log/safesquid/native/safesquid.log
Search for kerberos

Code: Select all

kerberos :
#############
kerberos : KRB5_CONFIG: /usr/local/safesquid/security/krb5.conf
kerberos : KRB5_KTNAME: /usr/local/safesquid/security/HTTP.keytab
kerberos : AD_FQDN: ad.safesquid.lab
kerberos : CHECK_CONNECTIVITY: ad.safesquid.lab
ad.safesquid.lab has address 10.102.1.10
kerberos : kerberos : LDAP_USER: administrator
kerberos : AD_DOMAIN: safesquid.lab
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ad.safesquid.lab
Address: 10.102.1.10

kerberos : MY_FQDN: proxy.safesquid.lab
kerberos : CHECK_CONNECTIVITY: proxy.safesquid.lab ad.safesquid.lab
Using domain server:
Name: ad.safesquid.lab
Address: 10.102.1.10#53
Aliases:

proxy.safesquid.lab has address 10.102.1.12
proxy.safesquid.lab has address 10.102.0.1
kerberos : kerberos : kinit user: _AD_USER: administrator@SAFESQUID.LAB
kerberos : kerberos : /usr/bin/kinit: successful
kerberos : kinit: successful
kerberos : Generate Keytab: calling RUN_MSKTUTIL
kerberos : /usr/local/bin/msktutil --update --verbose --base CN=COMPUTERS --service HTTP/proxy.safesquid.lab --keytab /usr/local/safesquid/security/HTTP.keytab.safesquid.lab --computer-name proxy --upn HTTP/proxy.safesquid.lab --server ad.safesquid.lab --no-reverse-lookups --realm SAFESQUID.LAB -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 79
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-lbVDIv
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: proxy$
 -- try_machine_keytab_princ: Trying to authenticate for proxy$ from local keytab...
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-QH5OBO
 -- finalize_exec: Authenticated using method 1
 -- LDAPConnection: Connecting to LDAP server: ad.safesquid.lab
SASL/GSSAPI authentication started
SASL username: proxy$@SAFESQUID.LAB
Kerberos authentication will now work seamlessly.