Hi
Using squid_kerb_auth-1.0.5 for the testing.
For the /usr/local/squid/libexec/squid_kerb_auth
used the compile version from squid-2.7.STABLE7.
Regards
Umesh
2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
> BTW Which squid_kerb_auth version do you use ?
>
> Markus
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
> Hi
>
> When I tried
> ./squid_kerb_auth_test proxy1
> or
> ./squid_kerb_auth_test proxy1.domain.com
> I got
> 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
> failed: Unspecified GSS failure. Minor code may provide more
> information. Unknown code krb5 7
> Token: NULL
>
> But I got a token if I used
> ./squid_kerb_auth_test domain.com
> or
> ./squid_kerb_auth_test adserver.domain.com
>
> Using this token and squid auth in the same directory I got
>
> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
> failure. Minor code may provide more information. No error
> BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor
> code may provide more information. No error
>
> Using the same token on the latest compiled squid
> /usr/local/squid/libexec/squid_kerb_auth -d
> I got
>
> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information. No
> error
> NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor
> code may provide more information. No error
>
> Any ideas?
> Regards
> Umesh
>
>
>
> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>
>> There should be a squid_kerb_auth_test application in the same source
>> directory as squid_kerb_auth.
>>
>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test squid-fqdn which
>> should give you a token like:
>>
>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>
>> which you can the use with squid_kerb_auth like
>>
>> export KRB5_KTNAME=/path-to-squid.keytab.
>> ./squid_kerb_auth -d
>> YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775).
>> 2010/01/15 14:40:29| squid_kerb_auth: Decode
>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
>> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>> 2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>> markus_at_SUSE.HOME
>>
>>
>> Regards
>> Markus
>>
>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>
>>> When you use ktpass or msktutil you have to specify a different AD object
>>> then your samba object and remove the HTTP/... entries as service
>>> principal
>>> from your samba AD object. If you want to have only one AD object you
>>> have
>>> to use the net keytab command as described in the wiki.
>>>
>>>
>>> Regards
>>> Markus
>>>
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>> Hi
>>> Ok. Did that now and I got:
>>>
>>> kvno HTTP/proxy1.domain.com
>>> HTTP/proxy1_at_DOMAIN.COM: kvno = 5
>>>
>>> This number is different from the the keytab number.
>>> How do I correct this?
>>>
>>> Yes I did use samba (net ads join -U adminuserid). Then I tried the
>>> msktutil. Then finally ktpass.
>>>
>>> During the net ads join I got:
>>>
>>> # net ads join -U userid
>>> userid's password:
>>> Using short domain name -- DOMAIN
>>> DNS update failed!
>>> Joined 'PROXY1' to realm 'DOMAIN.COM'
>>>
>>> Is the DNS update a problem?
>>>
>>> Regards
>>> Umesh
>>>
>>>
>>>
>>>
>>>
>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>
>>>> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before
>>>> you
>>>> issue the kvno command. Did you use the sambe netjoin command to create
>>>> the as account and the keytab ?
>>>>
>>>> Markus
>>>>
>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>> Hi Markus
>>>> I've checked with ADSIEDIT and found a single entry for the linux
>>>> server named proxy1.
>>>> Clicking on it's properties I found the following entries for service
>>>> Principal Name:
>>>>
>>>>
>>>>
>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>>
>>>>
>>>>
>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>>
>>>>
>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>>
>>>>
>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>>
>>>> On the linux box:
>>>>
>>>> # klist -ekt /etc/squid/HTTP.keytab
>>>> Keytab name: FILE:/etc/squid/HTTP.keytab
>>>> KVNO Timestamp Principal
>>>> ---- -----------------
>>>> --------------------------------------------------------
>>>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
>>>> with HMAC/md5)
>>>>
>>>> # kvno HTTP/proxy1.domain.com
>>>> kvno: Ticket expired while getting credentials for
>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
>>>> # kvno HTTP/proxy1
>>>> kvno: Ticket expired while getting credentials for
>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>
>>>> Should I remove the entry on AD, rejoin the pc to AD and create the
>>>> keytab again?
>>>> Which mechanism should I use to create the keytab?
>>>> Is my DNS correct if the pc came up on AD as proxy1 should it be the
>>>> fqdn (proxy1.domain.com)?
>>>>
>>>> Regards
>>>> Umesh
>>>>
>>>>
>>>>
>>>>
>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>
>>>>> On AD you can use ADSIEDIT (
>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx )
>>>>> to
>>>>> search for entries and delete,modify them. The best instructions are
>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>
>>>>> Let me know what you get once you deleted the old entry. Another check
>>>>> is
>>>>> to use the kvno tool which you should have when you use MIT Kerberos.
>>>>>
>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>>>>> squid.keytab
>>>>> e.g.
>>>>>
>>>>> # klist -ekt /etc/squid/squid.keytab
>>>>> Keytab name: FILE:/etc/squid/squid.keytab
>>>>> KVNO Timestamp Principal
>>>>> ---- -----------------
>>>>> --------------------------------------------------------
>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>>>> HMAC/md5)
>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>>>> mode with HMAC/sha1)
>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>>>> with
>>>>> CRC-32)
>>>>>
>>>>> #kvno HTTP/opensuse11.suse.home
>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>
>>>>>
>>>>> Regards
>>>>> Markus
>>>>>
>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>> Hi,
>>>>> I'm new to this. I've run the following command on the server:
>>>>>
>>>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>>>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>
>>>>> and get
>>>>> #
>>>>> # LDAPv3
>>>>> # base <OU=name,DC=domain,DC=com> with scope subtree
>>>>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # search result
>>>>>
>>>>> # numResponses: 1
>>>>>
>>>>> Is it possible to check directly on AD if this service principal name
>>>>> exits?
>>>>> How else can I test if this keytab works?
>>>>> If I create a new keytab what is the procedure of getting rid of the
>>>>> old one and retesting (what should be done on AD and the linux box)?
>>>>>
>>>>> Are there any docs that will help me with this?
>>>>>
>>>>> Sorry for being a pain and thanks again.
>>>>> Regards
>>>>> Umesh
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>
>>>>>> Can you check with an ldap query (e.g. with ldapadmin from
>>>>>> sourceforge)
>>>>>> or
>>>>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>>>> have
>>>>>> duplicate entries ?
>>>>>>
>>>>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS will
>>>>>> only
>>>>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I
>>>>>> think
>>>>>> is
>>>>>> not the case with ktpass.
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Markus
>>>>>>
>>>>>>
>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm trying to get the squid helper squid_kerb_auth to work against
>>>>>>> our
>>>>>>> Active Directory (win 2003 sp2).
>>>>>>>
>>>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS
>>>>>>> 5.4
>>>>>>> 64 bit.
>>>>>>>
>>>>>>> Squid Cache: Version 2.7.STABLE7
>>>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>>>>
>>>>>>>
>>>>>>> A keytab file was create on AD for squid
>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>
>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>> -pass password -out HTTP.keytab
>>>>>>>
>>>>>>> Transferred the file on the CentOS server and placed it
>>>>>>> in /etc/squid/HTTP.keytab
>>>>>>>
>>>>>>>
>>>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>
>>>>>>> I get the error message:
>>>>>>> kinit(v5): Client not found in Kerberos database while getting
>>>>>>> initial
>>>>>>> credentials
>>>>>>>
>>>>>>>
>>>>>>> I've also tried creating the keytab file using
>>>>>>> msktutil or samba according to the following doc:
>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>
>>>>>>> I get the same error.
>>>>>>>
>>>>>>> How do I sort out this problem?
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>>> Regards
>>>>>>> Umesh
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Sat Jan 16 2010 - 12:53:05 MST
This archive was generated by hypermail 2.2.0 : Sun Jan 17 2010 - 12:00:04 MST