Re: [squid-users] Re: squid_kerb_auth problem from Umesh Bodalina on 2010-01-13 (squid-users)

From: Umesh Bodalina <u.bodalina_at_gmail.com>
Date: Wed, 13 Jan 2010 12:10:21 +0200

Hi,
I'm new to this. I've run the following command on the server:

ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
"OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"

and get
#
# LDAPv3
# base <OU=name,DC=domain,DC=com> with scope subtree
# filter: serviceprincipalname=HTTP/fqdn_at_REALM
# requesting: ALL
#

# search result

# numResponses: 1

Is it possible to check directly on AD if this service principal name exits?
How else can I test if this keytab works?
If I create a new keytab what is the procedure of getting rid of the
old one and retesting (what should be done on AD and the linux box)?

Are there any docs that will help me with this?

Sorry for being a pain and thanks again.
Regards
Umesh

2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you have
> duplicate entries ?
>
> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will only
> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I think is
> not the case with ktpass.
>
>
> Regards
> Markus
>
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>
>> Hi,
>>
>> I'm trying to get the squid helper squid_kerb_auth to work against our
>> Active Directory (win 2003 sp2).
>>
>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
>> 64 bit.
>>
>> Squid Cache: Version 2.7.STABLE7
>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>
>>
>> A keytab file was create on AD for squid
>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>
>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>> -pass password -out HTTP.keytab
>>
>> Transferred the file on the CentOS server and placed it
>> in /etc/squid/HTTP.keytab
>>
>>
>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>
>> I get the error message:
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
>>
>>
>> I've also tried creating the keytab file using
>> msktutil or samba according to the following doc:
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> I get the same error.
>>
>> How do I sort out this problem?
>>
>> Thanks in advance.
>> Regards
>> Umesh
>>
>
>
>
Received on Wed Jan 13 2010 - 10:10:33 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 14 2010 - 12:00:03 MST