Can you also check the WINS traffic. If I remember right you should see a
query for the domain. If that does not get resolved Windows will fallback to
NTLM.
Markus
"Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
news:4B58AE77.4090907_at_iportalmais.pt...
> Hi Markus,
>
> I have already defined Windows Server as WINS and DNS for windows client.
> I check again the messages between IE8 and Windows Server and I verify
> there are AS-REQ, AS-REP, TGS-REQ and TGS-REP packages (for non domain
> member).
>
> To me, seems like the API SSPI, that firefox use, first try NTLM and
> second try kerberos. But firefox deny the second try.
> And i don't know how to sort out this problem.
>
> Regards
> Jose
>
> Markus Moeller wrote:
>> Firstly for non domain members you can not get SSO with
>> Negotiate/Kerberos (as far as I know). When you get the popup
>> asking for a username/password and you provide user_at_DOMAIN with the
>> password the client tries to find the domain controller using some
>> Windows protocols. I think if unsuccessful it will try NTLM with its
>> hostname as domain. To help the client finding the AD domain
>> controller you should provide via DHCP or hardcoded a WINS server
>> which has the domain information.
>>
>> Regards
>> Markus
>>
>>
>> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
>> news:4B56F8D7.4060704_at_iportalmais.pt...
>>> Hi Markus,
>>>
>>> Using firefox at windows machine (not domain member)
>>> - kerbtray don't show any credentials
>>> - I don't have traffic at port 88.
>>> - Don't work.
>>>
>>> Using IE8 at windows machine (not domain member)
>>> - kerbtray don't show any credentials
>>> - At port 88 there are a TGS-REQ and a TGS-REP
>>> - It works
>>>
>>> Using firefox at windows machine (domain member of windows server)
>>> - kerbtray show me the user principal and the service principal
>>> HTTP/squid.domain.
>>> - At port 88 there are a TGS-REQ and a TGS-REP
>>> - It works
>>>
>>> Using IE8 at windows machine (domain member of windows server)
>>> - kerbtray show me the user principal and the service principal
>>> HTTP/squid.domain.
>>> - At port 88 there are a TGS-REQ and a TGS-REP
>>> - It works
>>>
>>> Regards
>>> Jose
>>>
>>> Markus Moeller wrote:
>>>> Hi Jose
>>>>
>>>> Can you install kerbtray from the resource kit
>>>>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
>>>>
>>>> and start it ? It should list if you have got a TGS for
>>>> HTTP/squid.domain.
>>>>
>>>> Also can you capture port 88(Kerberos) traffic on the client with
>>>> wireshark ? When you login you should see an AS REQ and REP and
>>>> when firefox authenticates to the proxy you should se a TGS REQ
>>>> for HTTP/squid.domain.
>>>>
>>>> If not can you send me the capture to have a look at it ?
>>>>
>>>> Regards Markus
>>>>
>>>> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
>>>> news:4B5596BB.8010103_at_iportalmais.pt...
>>>>> Hi,
>>>>>
>>>>> I have the same problem. I have already set
>>>>> network.negotiate-auth.trusted-uris to proxy domain. At the
>>>>> firefox (FF) log appears: 0[825140]: service = squid.domain
>>>>> 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init
>>>>> 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]
>>>>> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>>>>> [challenge=Negotiate] 0[825140]: entering
>>>>> nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length
>>>>> 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>>>>> [challenge=Negotiate] 0[825140]: entering
>>>>> nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart
>>>>> authentication sequence!
>>>>>
>>>>> The http messages between squid an FF are:
>>>>>
>>>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>>
>>>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>>
>>>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>> Proxy-Authorization: Negotiate
>>>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>>>>
>>>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>>
>>>>>
>>>>> I have already IE working, and the http seems similar.
>>>>>
>>>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>>
>>>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>>
>>>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>> Proxy-Authorization: Negotiate
>>>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>>>>
>>>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>>
>>>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>> Proxy-Authorization: Negotiate
>>>>> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...]
>>>>>
>>>>> SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info:
>>>>> Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...]
>>>>>
>>>>>
>>>>> Seems like at first IE use NTLM and at second use kerberos.
>>>>>
>>>>> I think FF is similar, but FF don't allow the second iteration.
>>>>>
>>>>> How can I put kerberos as first iteration?
>>>>>
>>>>> Thanks in advance Regards Jose
>>>>>
>>>>> Markus Moeller wrote:
>>>>>>
>>>>>> The message parseNegTokenInit failed with rc=102 just means the
>>>>>> token is not a GSSAPI token wrapped in a SPNEGO token, but a
>>>>>> plain GSSAPI token. When you use firefox you have to do a kinit
>>>>>> first to store the AS token in the Kerberos cache for Firefox
>>>>>> to use and I think Firfox has to be configured with
>>>>>> network.negotiate-auth.trusted-uris to be set to the domains of
>>>>>> your proxy server.
>>>>>>
>>>>>> Regards Markus
>>>>>>
>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>> news:c3b47c041001181054n7091ea3aj761a508938de74e3_at_mail.gmail.com...
>>>>>> Hi Markus Sorry yes you were right, it was DNS.
>>>>>>
>>>>>> In our environment we are running two DNS servers. One using MS
>>>>>> DNS and the other using unix BIND. The linux server was added
>>>>>> to the unix DNS (with name proxy1.domain.com) but not to the MS
>>>>>> DNS which was authority for ad.domain.com. Now that I think
>>>>>> about it our MS DNS has issues doing reverse lookups for IPs
>>>>>> that the unix DNS is authority for (which in this case was
>>>>>> proxy1.domain.com).
>>>>>>
>>>>>> I changed linux server name to proxy1.ad.domain.com and now the
>>>>>> squid_kerb_auth_test works. Using your squid_kerb_auth
>>>>>> (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>>>> user_at_AD.DOMAIN.COM 2010/01/18 20:25:10| squid_kerb_auth: AF
>>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM When I try
>>>>>> the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I
>>>>>> get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit
>>>>>> failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>>>> user_at_AD.DOMAIN.COM 2010/01/18 20:29:07| squid_kerb_auth: AF
>>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM Is the
>>>>>> parseNegTokenInit failed with rc=102 ok?
>>>>>>
>>>>>> I then tried running squid and used Firefox 3.5.7. I got the
>>>>>> following error from squid cache:
>>>>>>
>>>>>> authenticateNegotiateHandleReply: Failed validating user via
>>>>>> Negotiate. Error returned 'type 1 NTLM token'
>>>>>>
>>>>>> Any ideas? Also I don't get any authentication popups for
>>>>>> userid and password...
>>>>>>
>>>>>> A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got
>>>>>> 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
>>>>>> from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth:
>>>>>> parseNegTokenInit failed with rc=101 2010/01/18 20:47:58|
>>>>>> squid_kerb_auth: received type 1 NTLM token 2010/01/18
>>>>>> 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58|
>>>>>> cbdataValid: 0x1838d448 2010/01/18 20:47:58|
>>>>>> helperStatefulHandleRead: 30 bytes from negotiateauthenticator
>>>>>> #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18
>>>>>> 20:47:58| helperStatefulHandleRead: end of reply found
>>>>>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18
>>>>>> 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58|
>>>>>> helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58|
>>>>>> helperStatefulReset: 0x1838d448 2010/01/18 20:47:58|
>>>>>> StatefulGetFirstAvailable: Running servers 10. 2010/01/18
>>>>>> 20:47:58| authenticateNegotiateHandleReply: Failed validating
>>>>>> user via Negotiate. Error returned 'type 1 NTLM token'
>>>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>>>> cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking
>>>>>> 'http_access deny !password' 2010/01/18 20:47:58|
>>>>>> aclMatchAclList: checking !password 2010/01/18 20:47:58|
>>>>>> aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
>>>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>>>> authenticateNegotiateAuthenticateUser: need to challenge client
>>>>>> 'received'! 2010/01/18 20:47:58| authenticateValidateUser:
>>>>>> Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>>>> aclAuthenticated: returning 0 sending authentication challenge.
>>>>>> 2010/01/18 20:47:58| aclCheck: match found, returning 2
>>>>>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18
>>>>>> 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58|
>>>>>> cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET
>>>>>>
>>>
> http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> is DENIED, because it matched 'password'
>>>>>>
>>>>>> My acl for this was: 'http_access deny !password'
>>>>>>
>>>>>> Regards Umesh
>>>>>>
>>>>>> 2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>> Can you check your DNS you should get for
>>>>>>>
>>>>>>> nslookup name an ip and for the reverse nslookup ip the same
>>>>>>> name.
>>>>>>>
>>>>>>> Which Kerberos libraries do you use ? Heimdal or MIT and
>>>>>>> which release ?
>>>>>>>
>>>>>>> Markus
>>>>>>>
>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
>>>>>>> Hi
>>>>>>>
>>>>>>> When I tried ./squid_kerb_auth_test proxy1 or
>>>>>>> ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16
>>>>>>> 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
>>>>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>>>>> information. Unknown code krb5 7 Token: NULL
>>>>>>>
>>>>>>> But I got a token if I used ./squid_kerb_auth_test domain.com
>>>>>>> or ./squid_kerb_auth_test adserver.domain.com
>>>>>>>
>>>>>>> Using this token and squid auth in the same directory I got
>>>>>>>
>>>>>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified
>>>>>>> GSS failure. Minor code may provide more information. No
>>>>>>> error BH gss_accept_sec_context() failed: Unspecified GSS
>>>>>>> failure. Minor code may provide more information. No error
>>>>>>>
>>>>>>> Using the same token on the latest compiled squid
>>>>>>> /usr/local/squid/libexec/squid_kerb_auth -d I got
>>>>>>>
>>>>>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit
>>>>>>> failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth:
>>>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>>>>> Minor code may provide more information. No error NA
>>>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>>>>> Minor code may provide more information. No error
>>>>>>>
>>>>>>> Any ideas? Regards Umesh
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>
>>>>>>>> There should be a squid_kerb_auth_test application in the
>>>>>>>> same source directory as squid_kerb_auth.
>>>>>>>>
>>>>>>>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test
>>>>>>>> squid-fqdn which should give you a token like:
>>>>>>>>
>>>>>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>>>>
>>>>>>>> which you can the use with squid_kerb_auth like
>>>>>>>>
>>>>>>>> export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth
>>>>>>>> -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>>>>>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid
>>>>>>>> (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode
>>>>>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length:
>>>>>>>> 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF
>>>>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards Markus
>>>>>>>>
>>>>>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>>>>>>>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>>>>>>>
>>>>>>>>> When you use ktpass or msktutil you have to specify a
>>>>>>>>> different AD object then your samba object and remove the
>>>>>>>>> HTTP/... entries as service principal from your samba AD
>>>>>>>>> object. If you want to have only one AD object you have
>>>>>>>>> to use the net keytab command as described in the wiki.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards Markus
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Ok. Did that now and I got:
>>>>>>>>>
>>>>>>>>> kvno HTTP/proxy1.domain.com HTTP/proxy1_at_DOMAIN.COM: kvno
>>>>>>>>> = 5
>>>>>>>>>
>>>>>>>>> This number is different from the the keytab number. How
>>>>>>>>> do I correct this?
>>>>>>>>>
>>>>>>>>> Yes I did use samba (net ads join -U adminuserid). Then I
>>>>>>>>> tried the msktutil. Then finally ktpass.
>>>>>>>>>
>>>>>>>>> During the net ads join I got:
>>>>>>>>>
>>>>>>>>> # net ads join -U userid userid's password: Using short
>>>>>>>>> domain name -- DOMAIN DNS update failed! Joined 'PROXY1'
>>>>>>>>> to realm 'DOMAIN.COM'
>>>>>>>>>
>>>>>>>>> Is the DNS update a problem?
>>>>>>>>>
>>>>>>>>> Regards Umesh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>>
>>>>>>>>>> Sorry I forgot to say that you have to do a kinit
>>>>>>>>>> aduser_at_REALM before you issue the kvno command. Did you
>>>>>>>>>> use the sambe netjoin command to create the as account
>>>>>>>>>> and the keytab ?
>>>>>>>>>>
>>>>>>>>>> Markus
>>>>>>>>>>
>>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>>> message
>>>>>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi Markus I've checked with ADSIEDIT and found a single
>>>>>>>>>> entry for the linux server named proxy1. Clicking on
>>>>>>>>>> it's properties I found the following entries for
>>>>>>>>>> service Principal Name:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On the linux box:
>>>>>>>>>>
>>>>>>>>>> # klist -ekt /etc/squid/HTTP.keytab Keytab name:
>>>>>>>>>> FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
>>>>>>>>>> ---- -----------------
>>>>>>>>>> --------------------------------------------------------
>>>>>>>>>> 7 01/01/70 02:00:00
>>>>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour with
>>>>>>>>>> HMAC/md5)
>>>>>>>>>>
>>>>>>>>>> # kvno HTTP/proxy1.domain.com kvno: Ticket expired
>>>>>>>>>> while getting credentials for
>>>>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM # kvno HTTP/proxy1
>>>>>>>>>> kvno: Ticket expired while getting credentials for
>>>>>>>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>>>>>>>
>>>>>>>>>> Should I remove the entry on AD, rejoin the pc to AD
>>>>>>>>>> and create the keytab again? Which mechanism should I
>>>>>>>>>> use to create the keytab? Is my DNS correct if the pc
>>>>>>>>>> came up on AD as proxy1 should it be the fqdn
>>>>>>>>>> (proxy1.domain.com)?
>>>>>>>>>>
>>>>>>>>>> Regards Umesh
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>>>
>>>>>>>>>>> On AD you can use ADSIEDIT (
>>>>>>>>>>>
> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ) to search for entries and delete,modify them. The
>>>>>>>>>>> best instructions are
>>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Let me know what you get once you deleted the old
>>>>>>>>>>> entry. Another check is to use the kvno tool which
>>>>>>>>>>> you should have when you use MIT Kerberos.
>>>>>>>>>>>
>>>>>>>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as
>>>>>>>>>>> klist -ekt squid.keytab e.g.
>>>>>>>>>>>
>>>>>>>>>>> # klist -ekt /etc/squid/squid.keytab Keytab name:
>>>>>>>>>>> FILE:/etc/squid/squid.keytab KVNO Timestamp Principal
>>>>>>>>>>> ---- -----------------
>>>>>>>>>>> --------------------------------------------------------
>>>>>>>>>>> 3 11/25/08 20:54:17
>>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>>>>>>>>>> HMAC/md5) 3 11/25/08 20:54:17
>>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>>>>>>>>>> mode with HMAC/sha1) 3 11/25/08 20:54:17
>>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>>>>>>>>>> with CRC-32)
>>>>>>>>>>>
>>>>>>>>>>> #kvno HTTP/opensuse11.suse.home
>>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards Markus
>>>>>>>>>>>
>>>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>>>> message
>>>>>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hi, I'm new to this. I've run the following command
>>>>>>>>>>> on the server:
>>>>>>>>>>>
>>>>>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h
>>>>>>>>>>> domainfqdn -p 389 -b "OU=name,DC=domain,DC=com"
>>>>>>>>>>> "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>>>>>>>
>>>>>>>>>>> and get # # LDAPv3 # base <OU=name,DC=domain,DC=com>
>>>>>>>>>>> with scope subtree # filter:
>>>>>>>>>>> serviceprincipalname=HTTP/fqdn_at_REALM # requesting:
>>>>>>>>>>> ALL #
>>>>>>>>>>>
>>>>>>>>>>> # search result
>>>>>>>>>>>
>>>>>>>>>>> # numResponses: 1
>>>>>>>>>>>
>>>>>>>>>>> Is it possible to check directly on AD if this
>>>>>>>>>>> service principal name exits? How else can I test if
>>>>>>>>>>> this keytab works? If I create a new keytab what is
>>>>>>>>>>> the procedure of getting rid of the old one and
>>>>>>>>>>> retesting (what should be done on AD and the linux
>>>>>>>>>>> box)?
>>>>>>>>>>>
>>>>>>>>>>> Are there any docs that will help me with this?
>>>>>>>>>>>
>>>>>>>>>>> Sorry for being a pain and thanks again. Regards
>>>>>>>>>>> Umesh
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>>>>
>>>>>>>>>>>> Can you check with an ldap query (e.g. with
>>>>>>>>>>>> ldapadmin from sourceforge) or search with a filter
>>>>>>>>>>>> "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>>>>>>>>>> have duplicate entries ?
>>>>>>>>>>>>
>>>>>>>>>>>> This kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS will only work if the
>>>>>>>>>>>> userprincipal name is HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>>>> which I think is not the case with ktpass.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Regards Markus
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>>>>> message
>>>>>>>>>>>>
> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm trying to get the squid helper
>>>>>>>>>>>>> squid_kerb_auth to work against our Active
>>>>>>>>>>>>> Directory (win 2003 sp2).
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've compiled the latest squid version
>>>>>>>>>>>>> (squid-2.7.STABLE7)on CentOS 5.4 64 bit.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Squid Cache: Version 2.7.STABLE7 configure
>>>>>>>>>>>>> options: '--prefix=/usr/local/squid'
>>>>>>>>>>>>> '--disable-wccp' '--disable-wccpv2'
>>>>>>>>>>>>> '--enable-large-cache-files' '--with-large-files'
>>>>>>>>>>>>> '--enable-delay-pools'
>>>>>>>>>>>>> '--enable-cachemgr-hostname' '=fqdn'
>>>>>>>>>>>>> '--enable-ntlm-auth-helpers=SMB'
>>>>>>>>>>>>> '--enable-auth=basic,ntlm,negotiate'
>>>>>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>>>>>>>>>>>>> '--enable-snmp'
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> A keytab file was create on AD for squid
>>>>>>>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>>>>>>>
>>>>>>>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>>>>>>>> -pass password -out HTTP.keytab
>>>>>>>>>>>>>
>>>>>>>>>>>>> Transferred the file on the CentOS server and
>>>>>>>>>>>>> placed it in /etc/squid/HTTP.keytab
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>>>>>
>>>>>>>>>>>>> I get the error message: kinit(v5): Client not
>>>>>>>>>>>>> found in Kerberos database while getting initial
>>>>>>>>>>>>> credentials
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've also tried creating the keytab file using
>>>>>>>>>>>>> msktutil or samba according to the following doc:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I get the same error.
>>>>>>>>>>>>>
>>>>>>>>>>>>> How do I sort out this problem?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks in advance. Regards Umesh
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Received on Fri Jan 22 2010 - 10:42:28 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 22 2010 - 12:00:04 MST