[squid-users] Re: squid_kerb_ldap -> "Error while initialising credentials from keytab"

Hi Tom

squid_kerb_ldap tries to use the keytab to authenticate squid against AD.
The keytab contains basically the password for the "user" http/<fqdn> which
maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap
tries to use host/proxy-test-01.xx.yy_at_XX.YY but does not find in AD an entry
which has the userprincipalname attribute with that value and therfore can
not check group memberships. msktutil has the option --upn which will set
the AD attribute accordingly (see
alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).

2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
host/proxy-test-01.xx.yy_at_XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials
from keytab : Client not found in Kerberos database

Regards
Markus

"Tom Tux" <tomtux80_at_gmail.com> wrote in message
news:AANLkTilZ_WeFjeU1bMnPSgvnhAhTe6RJMr6bjA-uuQ_m_at_mail.gmail.com...
> Hi
>
> I'm trying to authenticate our clients with squid_kerb_ldap against
> our ad. There exists a global-group called "Internet". My squid.conf
> looks like this:
>
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet
> acl inetAccess external SQUID_KERB_LDAP
> http_access allow inetAccess
>
>
> My "klist -k" looks like this:
> proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 4 host/proxy-test-01.xx.yy_at_XX.YY
> 4 host/proxy-test-01.xx.yy_at_XX.YY
> 4 host/proxy-test-01.xx.yy_at_XX.YY
> 4 host/proxy-test-01_at_XX.YY
> 4 host/proxy-test-01_at_XX.YY
> 4 host/proxy-test-01_at_XX.YY
> 4 PROXY-TEST-01$@XX.YY
> 4 PROXY-TEST-01$@XX.YY
> 4 PROXY-TEST-01$@XX.YY
> 4 HTTP/proxy-test-01.xx.yy_at_XX.YY
> 4 HTTP/proxy-test-01.xx.yy_at_XX.YY
> 4 HTTP/proxy-test-01.xx.yy_at_XX.YY
> 4 HTTP/proxy-test-01_at_XX.YY
> 4 HTTP/proxy-test-01_at_XX.YY
> 4 HTTP/proxy-test-01_at_XX.YY
> 5 proxy-test-01$@XX.YY
> 5 proxy-test-01$@XX.YY
> 5 proxy-test-01$@XX.YY
> 5 HTTP/proxy-test-01.xx.yy_at_XX.YY
> 5 HTTP/proxy-test-01.xx.yy_at_XX.YY
> 5 HTTP/proxy-test-01.xx.yy_at_XX.YY
> 5 HTTP/proxy-test-01_at_XX.YY
> 5 HTTP/proxy-test-01_at_XX.YY
> 5 HTTP/proxy-test-01_at_XX.YY
> 5 host/proxy-test-01.xx.yy_at_XX.YY
> 5 host/proxy-test-01.xx.yy_at_XX.YY
> 5 host/proxy-test-01.xx.yy_at_XX.YY
>
>
> Without squid_kerb_ldap, the internet-access is working fine. With the
> helper, I got the following errors in the cache.log:
> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY
> authenticated
> 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY
> 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group_at_domain
> Internet_at_NULL
> 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop:
> group_at_domain Internet_at_NULL
> 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group_at_domain
> Internet_at_NULL
> 2010/06/30 09:45:48| squid_kerb_ldap: Found group_at_domain Internet_at_NULL
> 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache
> 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name
> 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name
> /etc/krb5.keytab
> 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab
> /etc/krb5.keytab
> 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY
> 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name:
> host/proxy-test-01.xx.yy_at_XX.YY
> 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to
> MEMORY:squid_ldap_22001
> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
> host/proxy-test-01.xx.yy_at_XX.YY
> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
> credentials from keytab : Client not found in Kerberos database
> 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos
> credential cache
> 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of
> group_at_domain Internet_at_NULL
> 2010/06/30 09:45:48| squid_kerb_ldap: ERR
> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY
> authenticated
>
> What could this be? The user "testuser" is member of the ad-group
> "Internet".
> Thanks a lot.
> Tom
>
Received on Wed Jun 30 2010 - 19:57:47 MDT