Re: [squid-users] Re: Re: squid_kerb_auth problem from Umesh Bodalina on 2010-01-14 (squid-users)

From: Umesh Bodalina <u.bodalina_at_gmail.com>
Date: Thu, 14 Jan 2010 15:13:41 +0200

Hi Markus
I've checked with ADSIEDIT and found a single entry for the linux
server named proxy1.
Clicking on it's properties I found the following entries for service
Principal Name:

28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1

28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com

On the linux box:

# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
with HMAC/md5)

# kvno HTTP/proxy1.domain.com
kvno: Ticket expired while getting credentials for
HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
# kvno HTTP/proxy1
kvno: Ticket expired while getting credentials for HTTP/proxy1_at_AD.DOMAIN.COM

Should I remove the entry on AD, rejoin the pc to AD and create the
keytab again?
Which mechanism should I use to create the keytab?
Is my DNS correct if the pc came up on AD as proxy1 should it be the
fqdn (proxy1.domain.com)?

Regards
Umesh

2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
> On AD you can use ADSIEDIT (
> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
> search for entries and delete,modify them. The best instructions are
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Let me know what you get once you deleted the old entry. Another check is
> to use the kvno tool which you should have when you use MIT Kerberos.
>
> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt squid.keytab
> e.g.
>
> # klist -ekt /etc/squid/squid.keytab
> Keytab name: FILE:/etc/squid/squid.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
> HMAC/md5)
> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
> mode with HMAC/sha1)
> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode with
> CRC-32)
>
> #kvno HTTP/opensuse11.suse.home
> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>
>
> Regards
> Markus
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
> Hi,
> I'm new to this. I've run the following command on the server:
>
> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>
> and get
> #
> # LDAPv3
> # base <OU=name,DC=domain,DC=com> with scope subtree
> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
> # requesting: ALL
> #
>
> # search result
>
> # numResponses: 1
>
> Is it possible to check directly on AD if this service principal name exits?
> How else can I test if this keytab works?
> If I create a new keytab what is the procedure of getting rid of the
> old one and retesting (what should be done on AD and the linux box)?
>
> Are there any docs that will help me with this?
>
> Sorry for being a pain and thanks again.
> Regards
> Umesh
>
>
>
>
> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>
>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you have
>> duplicate entries ?
>>
>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will
>> only
>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I think
>> is
>> not the case with ktpass.
>>
>>
>> Regards
>> Markus
>>
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>
>>> Hi,
>>>
>>> I'm trying to get the squid helper squid_kerb_auth to work against our
>>> Active Directory (win 2003 sp2).
>>>
>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
>>> 64 bit.
>>>
>>> Squid Cache: Version 2.7.STABLE7
>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>
>>>
>>> A keytab file was create on AD for squid
>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>
>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>> -pass password -out HTTP.keytab
>>>
>>> Transferred the file on the CentOS server and placed it
>>> in /etc/squid/HTTP.keytab
>>>
>>>
>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>
>>> I get the error message:
>>> kinit(v5): Client not found in Kerberos database while getting initial
>>> credentials
>>>
>>>
>>> I've also tried creating the keytab file using
>>> msktutil or samba according to the following doc:
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>
>>> I get the same error.
>>>
>>> How do I sort out this problem?
>>>
>>> Thanks in advance.
>>> Regards
>>> Umesh
>>>
>>
>>
>>
>
>
>
Received on Thu Jan 14 2010 - 13:13:46 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 15 2010 - 12:00:02 MST