RE: [squid-users] Re: Re: Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

From: James Robertson <j_at_mesrobertson.com>
Date: Fri, 6 Jan 2012 15:08:40 +1100

> This doesn't matter what does the next lines say ?
>
> -- try_machine_keytab_princ: Trying to authenticate for HTTP
> /3msydproxy01.example.local from local keytab...
>
> This should be successful.
>
> The kinit test before the update and a wireshark capture would help identify
> the issue (i.e. a msktutil error).
>

From what I can tell the packet capture seems to indicate that msktutil is trying to use host/3msydproxy01-http.example.local, when it should be host/3msydproxy01.example.local. I could be wrong about this and would appreciate if someone could review the capture output. What is the preferred way to post the output of the wireshark capture on the mailing list?

So here is the process from start to finish for the computer name 3MSYDPROXY01-HTTP

###
### kdestroy and remove account from AD. Then kinit with administrator account
###

###
### Run msktutil
###

# msktutil -c -b "ou=MEMBER SERVERS,ou=EXAMPLE" -s HTTP/3msydproxy01.example.local -k /etc/squid3/PROXY.keytab \
  --computer-name 3MSYDPROXY01-HTTP --upn HTTP/3msydproxy01.example.local --server dc1.example.local --verbose --enctypes 28
 -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-dYTpBb
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: 3MSYDPROXY01-HTTP$
 -- try_machine_keytab_princ: Trying to authenticate for 3MSYDPROXY01-HTTP$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/3msydproxy01.example.local from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for 3MSYDPROXY01-HTTP$ with password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
 -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
SASL/GSSAPI authentication started
SASL username: XXXXXXX_at_EXAMPLE.LOCAL
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=LOCAL
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password: Characters read from /dev/udandom = 90
 -- ldap_check_account: Checking that a computer account for 3MSYDPROXY01-HTTP$ exists
 -- ldap_check_account: Computer account not found, create the account

No computer account for 3MSYDPROXY01-HTTP found, creating a new one.
dn: cn=3MSYDPROXY01-HTTP,ou=MEMBER SERVERS,ou=EXAMPLE,dc=EXAMPLE,dc=LOCAL
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to 3msydproxy01.example.local
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/3msydproxy01.example.local_at_EXAMPLE.LOCAL
 -- ldap_set_supportedEncryptionTypes: DEE dn=cn=3MSYDPROXY01-HTTP,ou=MEMBER SERVERS,ou=EXAMPLE,dc=EXAMPLE,dc=LOCAL old=7 new=28

 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 0
 -- set_password: Successfully set password, waiting for it to be reflected in LDAP.
 -- ldap_get_pwdLastSet: pwdLastSet is 129702931724574634
 -- set_password: Successfully reset computer's password
 -- ldap_add_principal: Checking that adding principal host/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a conflict
 -- ldap_add_principal: Adding principal host/3msydproxy01.example.local to LDAP entry
 -- ldap_add_principal: Checking that adding principal HTTP/3msydproxy01.example.local to 3MSYDPROXY01-HTTP$ won't cause a conflict
 -- ldap_add_principal: Adding principal HTTP/3msydproxy01.example.local to LDAP entry
 -- execute: Updating all entries for 3msydproxy01.example.local in the keytab WRFILE:/etc/squid3/PROXY.keytab

 -- update_keytab: Updating all entires for 3MSYDPROXY01-HTTP$
 -- ldap_get_kvno: KVNO is 2
 -- add_principal_keytab: Adding principal to keytab: 3MSYDPROXY01-HTTP$
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x17
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x11
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/3msydproxy01.example.local
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x17
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x11
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: HTTP/3msydproxy01.example.local
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x17
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x11
 -- add_principal_keytab: Using salt of EXAMPLE.LOCALhost3msydproxy01-http.example.local
 -- add_principal_keytab: Adding entry of enctype 0x12
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

###
### run kinit successfully.
###

# kinit -kt /etc/squid3/PROXY.keytab HTTP/3msydproxy01.example.local
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/3msydproxy01.example.local_at_EXAMPLE.LOCAL

Valid starting Expires Service principal
01/06/12 14:41:23 01/07/12 00:41:23 krbtgt/EXAMPLE.LOCAL_at_EXAMPLE.LOCAL
        renew until 01/07/12 14:41:23

###
### Reset computer account in AD
###

###
### Run msktutil update. This is different after having run the kinit command but fails with (5) Access denied at the end
###

# msktutil --auto-update --verbose --computer-name 3msydproxy01-http --server dc1.example.local -s HTTP/3msydproxy01.example.local
 -- init_password: Wiping the computer password structure
 -- get_default_keytab: Obtaining the default keytab name: /etc/squid3/PROXY.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QGX1t2
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: 3msydproxy01-http$
 -- try_machine_keytab_princ: Trying to authenticate for 3msydproxy01-http$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/3msydproxy01.example.local from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for 3msydproxy01-http$ with password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
 -- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
SASL/GSSAPI authentication started
SASL username: HTTP/3msydproxy01.example.local_at_EXAMPLE.LOCAL
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=LOCAL
 -- get_default_ou: Determining default OU: CN=Computers,DC=example,DC=local
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password: Characters read from /dev/udandom = 88
 -- ldap_check_account: Checking that a computer account for 3msydproxy01-http$ exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x1000

 -- ldap_check_account: Found supportedEncryptionTypes = 28

 -- ldap_check_account: Found dNSHostName = 3msydproxy01.example.local

 -- ldap_check_account: Found Principal: HTTP/3msydproxy01.example.local
 -- ldap_check_account: Found Principal: host/3msydproxy01.example.local
 -- ldap_check_account: Found User Principal: HTTP/3msydproxy01.example.local
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28

 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 129702932842880732
Error: Unable to set machine password for 3msydproxy01-http$: (5) Access denieduïnÀB³
Error: set_password failed
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

###
### If I run kdestroy and kill the HTTP/3msydproxy01.example.local ticket) the following is logged from msktutil
###

# msktutil --auto-update --verbose --computer-name 3msydproxy01-http --server dc1.example.local -s HTTP/3msydproxy01.example.local
 -- init_password: Wiping the computer password structure
 -- get_default_keytab: Obtaining the default keytab name: /etc/squid3/PROXY.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-Twfgw2
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: 3msydproxy01-http$
 -- try_machine_keytab_princ: Trying to authenticate for 3msydproxy01-http$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/3msydproxy01.example.local from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for 3msydproxy01-http$ with password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
 -- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     "kinit"ing yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.
 -- ~KRB5Context: Destroying Kerberos Context
Received on Fri Jan 06 2012 - 04:08:56 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 06 2012 - 12:00:02 MST