[squid-users] Re: squid_kerb_auth problem

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 16 Jan 2010 12:09:24 -0000

Can you check your DNS you should get for

nslookup name an ip
and for the reverse
nslookup ip the same name.

Which Kerberos libraries do you use ? Heimdal or MIT and which release ?

Markus

"Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
Hi

When I tried
./squid_kerb_auth_test proxy1
or
./squid_kerb_auth_test proxy1.domain.com
I got
2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information. Unknown code krb5 7
Token: NULL

But I got a token if I used
./squid_kerb_auth_test domain.com
or
./squid_kerb_auth_test adserver.domain.com

Using this token and squid auth in the same directory I got

squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. No error
BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information. No error

Using the same token on the latest compiled squid
/usr/local/squid/libexec/squid_kerb_auth -d
I got

2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. No
error
NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information. No error

Any ideas?
Regards
Umesh

2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
> There should be a squid_kerb_auth_test application in the same source
> directory as squid_kerb_auth.
>
> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test squid-fqdn which
> should give you a token like:
>
> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>
> which you can the use with squid_kerb_auth like
>
> export KRB5_KTNAME=/path-to-squid.keytab.
> ./squid_kerb_auth -d
> YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775).
> 2010/01/15 14:40:29| squid_kerb_auth: Decode
> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
> 2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
> markus_at_SUSE.HOME
>
>
> Regards
> Markus
>
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> news:hipnhp$hs3$1_at_ger.gmane.org...
>>
>> When you use ktpass or msktutil you have to specify a different AD object
>> then your samba object and remove the HTTP/... entries as service
>> principal
>> from your samba AD object. If you want to have only one AD object you
>> have
>> to use the net keytab command as described in the wiki.
>>
>>
>> Regards
>> Markus
>>
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>> Hi
>> Ok. Did that now and I got:
>>
>> kvno HTTP/proxy1.domain.com
>> HTTP/proxy1_at_DOMAIN.COM: kvno = 5
>>
>> This number is different from the the keytab number.
>> How do I correct this?
>>
>> Yes I did use samba (net ads join -U adminuserid). Then I tried the
>> msktutil. Then finally ktpass.
>>
>> During the net ads join I got:
>>
>> # net ads join -U userid
>> userid's password:
>> Using short domain name -- DOMAIN
>> DNS update failed!
>> Joined 'PROXY1' to realm 'DOMAIN.COM'
>>
>> Is the DNS update a problem?
>>
>> Regards
>> Umesh
>>
>>
>>
>>
>>
>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before
>>> you
>>> issue the kvno command. Did you use the sambe netjoin command to create
>>> the as account and the keytab ?
>>>
>>> Markus
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>> Hi Markus
>>> I've checked with ADSIEDIT and found a single entry for the linux
>>> server named proxy1.
>>> Clicking on it's properties I found the following entries for service
>>> Principal Name:
>>>
>>>
>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>
>>>
>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>
>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>
>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>
>>> On the linux box:
>>>
>>> # klist -ekt /etc/squid/HTTP.keytab
>>> Keytab name: FILE:/etc/squid/HTTP.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
>>> with HMAC/md5)
>>>
>>> # kvno HTTP/proxy1.domain.com
>>> kvno: Ticket expired while getting credentials for
>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
>>> # kvno HTTP/proxy1
>>> kvno: Ticket expired while getting credentials for
>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>
>>> Should I remove the entry on AD, rejoin the pc to AD and create the
>>> keytab again?
>>> Which mechanism should I use to create the keytab?
>>> Is my DNS correct if the pc came up on AD as proxy1 should it be the
>>> fqdn (proxy1.domain.com)?
>>>
>>> Regards
>>> Umesh
>>>
>>>
>>>
>>>
>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>
>>>> On AD you can use ADSIEDIT (
>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx )
>>>> to
>>>> search for entries and delete,modify them. The best instructions are
>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>
>>>> Let me know what you get once you deleted the old entry. Another check
>>>> is
>>>> to use the kvno tool which you should have when you use MIT Kerberos.
>>>>
>>>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>>>> squid.keytab
>>>> e.g.
>>>>
>>>> # klist -ekt /etc/squid/squid.keytab
>>>> Keytab name: FILE:/etc/squid/squid.keytab
>>>> KVNO Timestamp Principal
>>>> ---- -----------------
>>>> --------------------------------------------------------
>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>>> HMAC/md5)
>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>>> mode with HMAC/sha1)
>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>>> with
>>>> CRC-32)
>>>>
>>>> #kvno HTTP/opensuse11.suse.home
>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>> Hi,
>>>> I'm new to this. I've run the following command on the server:
>>>>
>>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>
>>>> and get
>>>> #
>>>> # LDAPv3
>>>> # base <OU=name,DC=domain,DC=com> with scope subtree
>>>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # search result
>>>>
>>>> # numResponses: 1
>>>>
>>>> Is it possible to check directly on AD if this service principal name
>>>> exits?
>>>> How else can I test if this keytab works?
>>>> If I create a new keytab what is the procedure of getting rid of the
>>>> old one and retesting (what should be done on AD and the linux box)?
>>>>
>>>> Are there any docs that will help me with this?
>>>>
>>>> Sorry for being a pain and thanks again.
>>>> Regards
>>>> Umesh
>>>>
>>>>
>>>>
>>>>
>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>
>>>>> Can you check with an ldap query (e.g. with ldapadmin from
>>>>> sourceforge)
>>>>> or
>>>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>>> have
>>>>> duplicate entries ?
>>>>>
>>>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will
>>>>> only
>>>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I
>>>>> think
>>>>> is
>>>>> not the case with ktpass.
>>>>>
>>>>>
>>>>> Regards
>>>>> Markus
>>>>>
>>>>>
>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm trying to get the squid helper squid_kerb_auth to work against
>>>>>> our
>>>>>> Active Directory (win 2003 sp2).
>>>>>>
>>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS
>>>>>> 5.4
>>>>>> 64 bit.
>>>>>>
>>>>>> Squid Cache: Version 2.7.STABLE7
>>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>>>
>>>>>>
>>>>>> A keytab file was create on AD for squid
>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>
>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>> -pass password -out HTTP.keytab
>>>>>>
>>>>>> Transferred the file on the CentOS server and placed it
>>>>>> in /etc/squid/HTTP.keytab
>>>>>>
>>>>>>
>>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>>>
>>>>>> I get the error message:
>>>>>> kinit(v5): Client not found in Kerberos database while getting
>>>>>> initial
>>>>>> credentials
>>>>>>
>>>>>>
>>>>>> I've also tried creating the keytab file using
>>>>>> msktutil or samba according to the following doc:
>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>
>>>>>> I get the same error.
>>>>>>
>>>>>> How do I sort out this problem?
>>>>>>
>>>>>> Thanks in advance.
>>>>>> Regards
>>>>>> Umesh
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Sat Jan 16 2010 - 12:10:29 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 18 2010 - 12:00:04 MST