[squid-users] Re: Re: squid_kerb_ldap -> "Error while initialising credentials from keytab"

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 1 Jul 2010 21:10:45 +0100

You could have used a tool like kerbtray or just lock and unlock the PC
which would have refreshed the cache.

Regards
Markus

"Tom Tux" <tomtux80_at_gmail.com> wrote in message
news:AANLkTiljGRnzRu9WXIvAp0Tj22OnXaknjanBCZLvshiB_at_mail.gmail.com...
Hi Markus

This problem is solved now. I rebootet the client, which results in
clearing the client-kerberos cache. Now I'm able to authenticate and I
can use the squid_kerb_ldap-helper.

Thanks a lot for your hints.
Regards
Tom

2010/7/1 Tom Tux <tomtux80_at_gmail.com>:
> Hi Markus
>
> Thank you.
> So, I made my kerberos-configuration from scratch. This will mean:
> - Delete computer-account in AD
> - Remove /etc/krb5.keytab
> - Check with "setspn -L proxy-test-01" if there were no SPN's -> OK.
>
> Then I created the account again with the following command:
>
> ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k
> /etc/krb5.keytab --computer-name proxy-test-01 --upn
> HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose
>
> The computer-account was created successfully. In the msktutil-output,
> I can see, that the KVNO is set to "2".
>
> On the Domain-Controller, I can also see, that the
> "msDS-KeyVersionNumber" is also set to "2".
>
> But I'm not able to authenticate. I got the following squid-cache-error:
> 2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information. Key version number for principal in key
> table is incorrect'
>
> What's wrong here? I tried with "kinit" and "kinit -R" again -> no
> success. How can I fix this problem?
> Regards
> Tom
>
>
> 2010/6/30 Markus Moeller <huaraz_at_moeller.plus.com>:
>> Hi Tom
>>
>> squid_kerb_ldap tries to use the keytab to authenticate squid against AD.
>> The keytab contains basically the password for the "user" http/<fqdn>
>> which
>> maps in AD to the userprincipalname attribute. In your case
>> squid_kerb_ldap
>> tries to use host/proxy-test-01.xx.yy_at_XX.YY but does not find in AD an
>> entry
>> which has the userprincipalname attribute with that value and therfore
>> can
>> not check group memberships. msktutil has the option --upn which will set
>> the AD attribute accordingly (see
>> alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).
>>
>>
>> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
>> host/proxy-test-01.xx.yy_at_XX.YY
>> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
>> credentials
>> from keytab : Client not found in Kerberos database
>>
>> Regards
>> Markus
>>
>> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
>> news:AANLkTilZ_WeFjeU1bMnPSgvnhAhTe6RJMr6bjA-uuQ_m_at_mail.gmail.com...
>>>
>>> Hi
>>>
>>> I'm trying to authenticate our clients with squid_kerb_ldap against
>>> our ad. There exists a global-group called "Internet". My squid.conf
>>> looks like this:
>>>
>>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
>>> auth_param negotiate children 10
>>> auth_param negotiate keep_alive on
>>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet
>>> acl inetAccess external SQUID_KERB_LDAP
>>> http_access allow inetAccess
>>>
>>>
>>> My "klist -k" looks like this:
>>> proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ----
>>> --------------------------------------------------------------------------
>>> 4 host/proxy-test-01.xx.yy_at_XX.YY
>>> 4 host/proxy-test-01.xx.yy_at_XX.YY
>>> 4 host/proxy-test-01.xx.yy_at_XX.YY
>>> 4 host/proxy-test-01_at_XX.YY
>>> 4 host/proxy-test-01_at_XX.YY
>>> 4 host/proxy-test-01_at_XX.YY
>>> 4 PROXY-TEST-01$@XX.YY
>>> 4 PROXY-TEST-01$@XX.YY
>>> 4 PROXY-TEST-01$@XX.YY
>>> 4 HTTP/proxy-test-01.xx.yy_at_XX.YY
>>> 4 HTTP/proxy-test-01.xx.yy_at_XX.YY
>>> 4 HTTP/proxy-test-01.xx.yy_at_XX.YY
>>> 4 HTTP/proxy-test-01_at_XX.YY
>>> 4 HTTP/proxy-test-01_at_XX.YY
>>> 4 HTTP/proxy-test-01_at_XX.YY
>>> 5 proxy-test-01$@XX.YY
>>> 5 proxy-test-01$@XX.YY
>>> 5 proxy-test-01$@XX.YY
>>> 5 HTTP/proxy-test-01.xx.yy_at_XX.YY
>>> 5 HTTP/proxy-test-01.xx.yy_at_XX.YY
>>> 5 HTTP/proxy-test-01.xx.yy_at_XX.YY
>>> 5 HTTP/proxy-test-01_at_XX.YY
>>> 5 HTTP/proxy-test-01_at_XX.YY
>>> 5 HTTP/proxy-test-01_at_XX.YY
>>> 5 host/proxy-test-01.xx.yy_at_XX.YY
>>> 5 host/proxy-test-01.xx.yy_at_XX.YY
>>> 5 host/proxy-test-01.xx.yy_at_XX.YY
>>>
>>>
>>> Without squid_kerb_ldap, the internet-access is working fine. With the
>>> helper, I got the following errors in the cache.log:
>>> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY
>>> authenticated
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY
>>> 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group_at_domain
>>> Internet_at_NULL
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop:
>>> group_at_domain Internet_at_NULL
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group_at_domain
>>> Internet_at_NULL
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Found group_at_domain Internet_at_NULL
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name
>>> /etc/krb5.keytab
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab
>>> /etc/krb5.keytab
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name:
>>> host/proxy-test-01.xx.yy_at_XX.YY
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to
>>> MEMORY:squid_ldap_22001
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
>>> host/proxy-test-01.xx.yy_at_XX.YY
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
>>> credentials from keytab : Client not found in Kerberos database
>>> 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos
>>> credential cache
>>> 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of
>>> group_at_domain Internet_at_NULL
>>> 2010/06/30 09:45:48| squid_kerb_ldap: ERR
>>> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY
>>> authenticated
>>>
>>> What could this be? The user "testuser" is member of the ad-group
>>> "Internet".
>>> Thanks a lot.
>>> Tom
>>>
>>
>>
>>
>
Received on Thu Jul 01 2010 - 20:11:01 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 02 2010 - 12:00:03 MDT