I'm using squid configured thus: auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --target-service=rcmd --target-hostname=dwodhou-linux.ger.corp.intel.com I deliberately put errors in the --target-service and --target-hostname arguments. Surely it should have stopped working? But it seems to accept Kerberos tickets for *any* service that's in the keytab.
Correct, those options are for the client mode. We accept any service in the keytab, as in the AD model, we may have multiple names, and an administrator may add any to our KDC without notifying Samba. I get that we could use those options to implement match-by-name rather than match-by-key, and arguably that much is a bug, but absent a tested patch (which would be most welcome) I don't think we are likely to extend it in that way.