Re: [squid-users] Re: msktutil: Error: ldap_set_option (option=) failed (Can't contact LDAP server)

Hi Markus

Here is the output:
------------------ snip -----------------------
proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s
HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab
--computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server
dc1.xx.yy --verbose
 -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-OINkN1
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: proxy-test-01$
 -- try_machine_keytab_princ: Trying to authenticate for
proxy-test-01$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for
host/proxy-test-01.xx.yy from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for proxy-test-01$
with password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES
SASL/GSSAPI authentication started
SASL username: administrator_at_xx.yy
SASL SSF: 0
Error: ldap_set_option (option=) failed (Can't contact LDAP server)
 -- ~KRB5Context: Destroying Kerberos Context
------------------ snap -----------------------

The computer-account already exists in the ad (joined with "net ads join").
The ktutil gives me no principals back:

proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
ktutil:

Thanks a lot.
Kind regards
Tom

2010/6/29 Markus Moeller <huaraz_at_moeller.plus.com>:
> Can you post the whole output of msktutil with --verbose please. If msktutil
> fails with TLS on port 389 it will try again without TLS.
>
> Regards
> Markus
>
> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
> news:AANLkTil1Fhq5Ks3NX8MoSTKIC2qOACz1xpMp6wH6RpkD_at_mail.gmail.com...
> this works. I'm also able to telnet with tcp 636 (ldaps).
>
> I'm just searching for a solution to kerberise squid without the need
> of winbind/smb.
>
>
> 2010/6/28 Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>:
>>
>> They seem ok.
>>
>> Telnet to your dc on 389?
>>
>>
>> On 28/06/2010 14:40, "Tom Tux" <tomtux80_at_gmail.com> wrote:
>>
>> which ldap-libraries should be installed?
>> The following devel-packages are installed (SLES11-System):
>> - openldap2-devel
>> - cyrus-sasl-devel
>>
>>
>>
>> 2010/6/28 Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>:
>>>
>>> Missing ldap libraries maybe?
>>>
>>>
>>> On 28/06/2010 12:32, "Tom Tux" <tomtux80_at_gmail.com> wrote:
>>>
>>> Hi
>>>
>>> I'm trying to generate a computer-account with msktutil:
>>>
>>> I got the following error:
>>> ...
>>> ...
>>> - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES
>>> SASL/GSSAPI authentication started
>>> SASL username: admin_at_DOMAIN.COM
>>> SASL SSF: 0
>>> Error: ldap_set_option (option=) failed (Can't contact LDAP server)
>>> -- ~KRB5Context: Destroying Kerberos Context
>>>
>>>
>>>
>>> I have a valid ticket (klist), initiated with adminuser_at_DOMAIN.COM.
>>> Have someone any hints? I see, that the msktutil tries with tls
>>> (encrypted) on port 389 (ldap) on the domain-controller. Can I use
>>> native (unencrypted) ldap?
>>>
>>> Thanks a lot.
>>> Tom
>>>
>>>
>>> ** Please consider the environment before printing this e-mail **
>>>
>>> The information contained in this e-mail is of a confidential nature and
>>> is intended only for the addressee. If you are not the intended addressee,
>>> any disclosure, copying or distribution by you is prohibited and may be
>>> unlawful. Disclosure to any party other than the addressee, whether
>>> inadvertent or otherwise, is not intended to waive privilege or
>>> confidentiality. Internet communications are not secure and therefore Conde
>>> Nast does not accept legal responsibility for the contents of this message.
>>> Any views or opinions expressed are those of the author.
>>>
>>> Company Registration details:
>>> The Conde Nast Publications Ltd
>>> Vogue House
>>> Hanover Square
>>> London W1S 1JU
>>>
>>> Registered in London No. 226900
>>>
>>
>>
>> The information contained in this e-mail is of a confidential nature and
>> is intended only for the addressee. If you are not the intended addressee,
>> any disclosure, copying or distribution by you is prohibited and may be
>> unlawful. Disclosure to any party other than the addressee, whether
>> inadvertent or otherwise, is not intended to waive privilege or
>> confidentiality. Internet communications are not secure and therefore Conde
>> Nast does not accept legal responsibility for the contents of this message.
>> Any views or opinions expressed are those of the author.
>>
>> The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square,
>> London W1S 1JU
>>
>
>
>
Received on Tue Jun 29 2010 - 05:39:59 MDT