There should be a squid_kerb_auth_test application in the same source
directory as squid_kerb_auth.
Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test squid-fqdn which
should give you a token like:
Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
which you can the use with squid_kerb_auth like
export KRB5_KTNAME=/path-to-squid.keytab.
./squid_kerb_auth -d
YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775).
2010/01/15 14:40:29| squid_kerb_auth: Decode
'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
markus_at_SUSE.HOME
Regards
Markus
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:hipnhp$hs3$1_at_ger.gmane.org...
> When you use ktpass or msktutil you have to specify a different AD object
> then your samba object and remove the HTTP/... entries as service
> principal from your samba AD object. If you want to have only one AD
> object you have to use the net keytab command as described in the wiki.
>
>
> Regards
> Markus
>
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
> Hi
> Ok. Did that now and I got:
>
> kvno HTTP/proxy1.domain.com
> HTTP/proxy1_at_DOMAIN.COM: kvno = 5
>
> This number is different from the the keytab number.
> How do I correct this?
>
> Yes I did use samba (net ads join -U adminuserid). Then I tried the
> msktutil. Then finally ktpass.
>
> During the net ads join I got:
>
> # net ads join -U userid
> userid's password:
> Using short domain name -- DOMAIN
> DNS update failed!
> Joined 'PROXY1' to realm 'DOMAIN.COM'
>
> Is the DNS update a problem?
>
> Regards
> Umesh
>
>
>
>
>
> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before you
>> issue the kvno command. Did you use the sambe netjoin command to create
>> the as account and the keytab ?
>>
>> Markus
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>> Hi Markus
>> I've checked with ADSIEDIT and found a single entry for the linux
>> server named proxy1.
>> Clicking on it's properties I found the following entries for service
>> Principal Name:
>>
>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>
>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>
>> On the linux box:
>>
>> # klist -ekt /etc/squid/HTTP.keytab
>> Keytab name: FILE:/etc/squid/HTTP.keytab
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
>> with HMAC/md5)
>>
>> # kvno HTTP/proxy1.domain.com
>> kvno: Ticket expired while getting credentials for
>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
>> # kvno HTTP/proxy1
>> kvno: Ticket expired while getting credentials for
>> HTTP/proxy1_at_AD.DOMAIN.COM
>>
>> Should I remove the entry on AD, rejoin the pc to AD and create the
>> keytab again?
>> Which mechanism should I use to create the keytab?
>> Is my DNS correct if the pc came up on AD as proxy1 should it be the
>> fqdn (proxy1.domain.com)?
>>
>> Regards
>> Umesh
>>
>>
>>
>>
>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> On AD you can use ADSIEDIT (
>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
>>> search for entries and delete,modify them. The best instructions are
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>
>>> Let me know what you get once you deleted the old entry. Another check
>>> is
>>> to use the kvno tool which you should have when you use MIT Kerberos.
>>>
>>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>>> squid.keytab
>>> e.g.
>>>
>>> # klist -ekt /etc/squid/squid.keytab
>>> Keytab name: FILE:/etc/squid/squid.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>> HMAC/md5)
>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>> mode with HMAC/sha1)
>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>> with
>>> CRC-32)
>>>
>>> #kvno HTTP/opensuse11.suse.home
>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>
>>>
>>> Regards
>>> Markus
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>> Hi,
>>> I'm new to this. I've run the following command on the server:
>>>
>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>
>>> and get
>>> #
>>> # LDAPv3
>>> # base <OU=name,DC=domain,DC=com> with scope subtree
>>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>>> # requesting: ALL
>>> #
>>>
>>> # search result
>>>
>>> # numResponses: 1
>>>
>>> Is it possible to check directly on AD if this service principal name
>>> exits?
>>> How else can I test if this keytab works?
>>> If I create a new keytab what is the procedure of getting rid of the
>>> old one and retesting (what should be done on AD and the linux box)?
>>>
>>> Are there any docs that will help me with this?
>>>
>>> Sorry for being a pain and thanks again.
>>> Regards
>>> Umesh
>>>
>>>
>>>
>>>
>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>
>>>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge)
>>>> or
>>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>> have
>>>> duplicate entries ?
>>>>
>>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will
>>>> only
>>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I
>>>> think
>>>> is
>>>> not the case with ktpass.
>>>>
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>>
>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to get the squid helper squid_kerb_auth to work against our
>>>>> Active Directory (win 2003 sp2).
>>>>>
>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS
>>>>> 5.4
>>>>> 64 bit.
>>>>>
>>>>> Squid Cache: Version 2.7.STABLE7
>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>>
>>>>>
>>>>> A keytab file was create on AD for squid
>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>
>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>> -pass password -out HTTP.keytab
>>>>>
>>>>> Transferred the file on the CentOS server and placed it
>>>>> in /etc/squid/HTTP.keytab
>>>>>
>>>>>
>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>>
>>>>> I get the error message:
>>>>> kinit(v5): Client not found in Kerberos database while getting initial
>>>>> credentials
>>>>>
>>>>>
>>>>> I've also tried creating the keytab file using
>>>>> msktutil or samba according to the following doc:
>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>
>>>>> I get the same error.
>>>>>
>>>>> How do I sort out this problem?
>>>>>
>>>>> Thanks in advance.
>>>>> Regards
>>>>> Umesh
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Fri Jan 15 2010 - 14:42:01 MST
This archive was generated by hypermail 2.2.0 : Sat Jan 16 2010 - 12:00:03 MST