[squid-users] Re: Re: Re: Re: squid_kerb_auth problem from Markus Moeller on 2010-01-15 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 15 Jan 2010 12:36:50 -0000

When you use ktpass or msktutil you have to specify a different AD object
then your samba object and remove the HTTP/... entries as service principal
from your samba AD object. If you want to have only one AD object you have
to use the net keytab command as described in the wiki.

Regards
Markus

"Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
Hi
Ok. Did that now and I got:

kvno HTTP/proxy1.domain.com
HTTP/proxy1_at_DOMAIN.COM: kvno = 5

This number is different from the the keytab number.
How do I correct this?

Yes I did use samba (net ads join -U adminuserid). Then I tried the
msktutil. Then finally ktpass.

During the net ads join I got:

# net ads join -U userid
userid's password:
Using short domain name -- DOMAIN
DNS update failed!
Joined 'PROXY1' to realm 'DOMAIN.COM'

Is the DNS update a problem?

Regards
Umesh

2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before you
> issue the kvno command. Did you use the sambe netjoin command to create
> the as account and the keytab ?
>
> Markus
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
> Hi Markus
> I've checked with ADSIEDIT and found a single entry for the linux
> server named proxy1.
> Clicking on it's properties I found the following entries for service
> Principal Name:
>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>
> On the linux box:
>
> # klist -ekt /etc/squid/HTTP.keytab
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
> with HMAC/md5)
>
> # kvno HTTP/proxy1.domain.com
> kvno: Ticket expired while getting credentials for
> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
> # kvno HTTP/proxy1
> kvno: Ticket expired while getting credentials for
> HTTP/proxy1_at_AD.DOMAIN.COM
>
> Should I remove the entry on AD, rejoin the pc to AD and create the
> keytab again?
> Which mechanism should I use to create the keytab?
> Is my DNS correct if the pc came up on AD as proxy1 should it be the
> fqdn (proxy1.domain.com)?
>
> Regards
> Umesh
>
>
>
>
> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>
>> On AD you can use ADSIEDIT (
>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
>> search for entries and delete,modify them. The best instructions are
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> Let me know what you get once you deleted the old entry. Another check is
>> to use the kvno tool which you should have when you use MIT Kerberos.
>>
>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>> squid.keytab
>> e.g.
>>
>> # klist -ekt /etc/squid/squid.keytab
>> Keytab name: FILE:/etc/squid/squid.keytab
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>> HMAC/md5)
>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>> mode with HMAC/sha1)
>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>> with
>> CRC-32)
>>
>> #kvno HTTP/opensuse11.suse.home
>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>
>>
>> Regards
>> Markus
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>> Hi,
>> I'm new to this. I've run the following command on the server:
>>
>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>
>> and get
>> #
>> # LDAPv3
>> # base <OU=name,DC=domain,DC=com> with scope subtree
>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>> # requesting: ALL
>> #
>>
>> # search result
>>
>> # numResponses: 1
>>
>> Is it possible to check directly on AD if this service principal name
>> exits?
>> How else can I test if this keytab works?
>> If I create a new keytab what is the procedure of getting rid of the
>> old one and retesting (what should be done on AD and the linux box)?
>>
>> Are there any docs that will help me with this?
>>
>> Sorry for being a pain and thanks again.
>> Regards
>> Umesh
>>
>>
>>
>>
>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge)
>>> or
>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>> have
>>> duplicate entries ?
>>>
>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will
>>> only
>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I think
>>> is
>>> not the case with ktpass.
>>>
>>>
>>> Regards
>>> Markus
>>>
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to get the squid helper squid_kerb_auth to work against our
>>>> Active Directory (win 2003 sp2).
>>>>
>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
>>>> 64 bit.
>>>>
>>>> Squid Cache: Version 2.7.STABLE7
>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>
>>>>
>>>> A keytab file was create on AD for squid
>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>
>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>> -pass password -out HTTP.keytab
>>>>
>>>> Transferred the file on the CentOS server and placed it
>>>> in /etc/squid/HTTP.keytab
>>>>
>>>>
>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>
>>>> I get the error message:
>>>> kinit(v5): Client not found in Kerberos database while getting initial
>>>> credentials
>>>>
>>>>
>>>> I've also tried creating the keytab file using
>>>> msktutil or samba according to the following doc:
>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>
>>>> I get the same error.
>>>>
>>>> How do I sort out this problem?
>>>>
>>>> Thanks in advance.
>>>> Regards
>>>> Umesh
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Fri Jan 15 2010 - 12:37:42 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 15 2010 - 12:00:03 MST