Re: [squid-users] Re: Re: Re: squid_kerb_auth problem from Umesh Bodalina on 2010-01-15 (squid-users)

From: Umesh Bodalina <u.bodalina_at_gmail.com>
Date: Fri, 15 Jan 2010 10:53:01 +0200

Hi
Ok. Did that now and I got:

kvno HTTP/proxy1.domain.com
HTTP/proxy1_at_DOMAIN.COM: kvno = 5

This number is different from the the keytab number.
How do I correct this?

Yes I did use samba (net ads join -U adminuserid). Then I tried the
msktutil. Then finally ktpass.

During the net ads join I got:

# net ads join -U userid
userid's password:
Using short domain name -- DOMAIN
DNS update failed!
Joined 'PROXY1' to realm 'DOMAIN.COM'

Is the DNS update a problem?

Regards
Umesh

2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before you
> issue the kvno command. Did you use the sambe netjoin command to create
> the as account and the keytab ?
>
> Markus
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
> Hi Markus
> I've checked with ADSIEDIT and found a single entry for the linux
> server named proxy1.
> Clicking on it's properties I found the following entries for service
> Principal Name:
>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>
> On the linux box:
>
> # klist -ekt /etc/squid/HTTP.keytab
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
> with HMAC/md5)
>
> # kvno HTTP/proxy1.domain.com
> kvno: Ticket expired while getting credentials for
> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
> # kvno HTTP/proxy1
> kvno: Ticket expired while getting credentials for HTTP/proxy1_at_AD.DOMAIN.COM
>
> Should I remove the entry on AD, rejoin the pc to AD and create the
> keytab again?
> Which mechanism should I use to create the keytab?
> Is my DNS correct if the pc came up on AD as proxy1 should it be the
> fqdn (proxy1.domain.com)?
>
> Regards
> Umesh
>
>
>
>
> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>
>> On AD you can use ADSIEDIT (
>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
>> search for entries and delete,modify them. The best instructions are
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> Let me know what you get once you deleted the old entry. Another check is
>> to use the kvno tool which you should have when you use MIT Kerberos.
>>
>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>> squid.keytab
>> e.g.
>>
>> # klist -ekt /etc/squid/squid.keytab
>> Keytab name: FILE:/etc/squid/squid.keytab
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>> HMAC/md5)
>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>> mode with HMAC/sha1)
>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode with
>> CRC-32)
>>
>> #kvno HTTP/opensuse11.suse.home
>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>
>>
>> Regards
>> Markus
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>> Hi,
>> I'm new to this. I've run the following command on the server:
>>
>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>
>> and get
>> #
>> # LDAPv3
>> # base <OU=name,DC=domain,DC=com> with scope subtree
>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>> # requesting: ALL
>> #
>>
>> # search result
>>
>> # numResponses: 1
>>
>> Is it possible to check directly on AD if this service principal name
>> exits?
>> How else can I test if this keytab works?
>> If I create a new keytab what is the procedure of getting rid of the
>> old one and retesting (what should be done on AD and the linux box)?
>>
>> Are there any docs that will help me with this?
>>
>> Sorry for being a pain and thanks again.
>> Regards
>> Umesh
>>
>>
>>
>>
>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge)
>>> or
>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you have
>>> duplicate entries ?
>>>
>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will
>>> only
>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I think
>>> is
>>> not the case with ktpass.
>>>
>>>
>>> Regards
>>> Markus
>>>
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to get the squid helper squid_kerb_auth to work against our
>>>> Active Directory (win 2003 sp2).
>>>>
>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
>>>> 64 bit.
>>>>
>>>> Squid Cache: Version 2.7.STABLE7
>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>
>>>>
>>>> A keytab file was create on AD for squid
>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>
>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>> -pass password -out HTTP.keytab
>>>>
>>>> Transferred the file on the CentOS server and placed it
>>>> in /etc/squid/HTTP.keytab
>>>>
>>>>
>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>
>>>> I get the error message:
>>>> kinit(v5): Client not found in Kerberos database while getting initial
>>>> credentials
>>>>
>>>>
>>>> I've also tried creating the keytab file using
>>>> msktutil or samba according to the following doc:
>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>
>>>> I get the same error.
>>>>
>>>> How do I sort out this problem?
>>>>
>>>> Thanks in advance.
>>>> Regards
>>>> Umesh
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Fri Jan 15 2010 - 08:53:12 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 15 2010 - 12:00:03 MST