[squid-users] Re: Re: Re: Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

Hi James,

  Here is my test against a 2003AD server using msktutil-0.4. The only
change I did was to add -k <keytab> to the update command.

Regards
Markus

markus_at_opensuse11:/tmp> kinit administrator_at_WIN2003R2.HOME
Password for administrator_at_WIN2003R2.HOME:
markus_at_opensuse11:/tmp> ./create_squid
+ /home/markus/bin/msktutil -c -b ou=ServicePrincipals -s
HTTP/squid-test.win2003r2.home -k /tmp/PROXY.keytab --computer-name
squid-test-http --upn HTTP/squid-test.win2003r2.home --server
w2k3r2.win2003r2.home --verbose
 -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-rtY7WU
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: squid-test-http$
 -- try_machine_keytab_princ: Trying to authenticate for squid-test-http$
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/opensuse11
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for squid-test-http$ with
password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting
to LDAP server: w2k3r2.win2003r2.home try_tls=YES
 -- ldap_connect: Connecting to LDAP server: w2k3r2.win2003r2.home
try_tls=NO
SASL/GSSAPI authentication started
SASL username: administrator_at_WIN2003R2.HOME
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=WIN2003R2,dc=HOME
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password: Characters read from /dev/udandom = 81
 -- ldap_check_account: Checking that a computer account for
squid-test-http$ exists
 -- ldap_check_account: Computer account not found, create the account

No computer account for squid-test-http found, creating a new one.
dn: cn=squid-test-http,ou=ServicePrincipals,dc=WIN2003R2,dc=HOME
 -- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to
opensuse11
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName
to HTTP/squid-test.win2003r2.home_at_WIN2003R2.HOME
 -- ldap_set_supportedEncryptionTypes: DEE
dn=cn=squid-test-http,ou=ServicePrincipals,dc=WIN2003R2,dc=HOME old=7 new=28

 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
msDs-supportedEncryptionTypes to 28
 -- ldap_simple_set_attr: ldap_modify_ext_s failed (No such attribute)
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 0
 -- set_password: Successfully set password, waiting for it to be reflected
in LDAP.
 -- ldap_get_pwdLastSet: pwdLastSet is 129703357107187500
 -- set_password: Successfully reset computer's password
 -- ldap_add_principal: Checking that adding principal host/opensuse11 to
squid-test-http$ won't cause a conflict
Error: Another computer account
(CN=OPENSUSE11,OU=SambaServers,DC=win2003r2,DC=home) has the principal
host/opensuse11
Error: ldap_add_principal failed
 -- ldap_add_principal: Checking that adding principal
HTTP/squid-test.win2003r2.home to squid-test-http$ won't cause a conflict
 -- ldap_add_principal: Adding principal HTTP/squid-test.win2003r2.home to
LDAP entry
 -- execute: Updating all entries for opensuse11 in the keytab
WRFILE:/tmp/PROXY.keytab

 -- update_keytab: Updating all entires for squid-test-http$
 -- ldap_get_kvno: KVNO is 2
 -- add_principal_keytab: Adding principal to keytab: squid-test-http$
 -- add_principal_keytab: Using salt of
WIN2003R2.HOMEhostsquid-test-http.win2003r2.home
 -- add_principal_keytab: Adding entry of enctype 0x1
 -- add_principal_keytab: Using salt of
WIN2003R2.HOMEhostsquid-test-http.win2003r2.home
 -- add_principal_keytab: Adding entry of enctype 0x3
 -- add_principal_keytab: Using salt of
WIN2003R2.HOMEhostsquid-test-http.win2003r2.home
 -- add_principal_keytab: Adding entry of enctype 0x17
 -- add_principal_keytab: Adding principal to keytab:
HTTP/squid-test.win2003r2.home
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab: Using salt of
WIN2003R2.HOMEhostsquid-test-http.win2003r2.home
 -- add_principal_keytab: Adding entry of enctype 0x1
 -- add_principal_keytab: Using salt of
WIN2003R2.HOMEhostsquid-test-http.win2003r2.home
 -- add_principal_keytab: Adding entry of enctype 0x3
 -- add_principal_keytab: Using salt of
WIN2003R2.HOMEhostsquid-test-http.win2003r2.home
 -- add_principal_keytab: Adding entry of enctype 0x17
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

Now the update (which does not happen as msktutil determines it is not old
enough to change):

markus_at_opensuse11:/tmp> kdestroy
markus_at_opensuse11:/tmp> ./update_squid
+ /home/markus/bin/msktutil --auto-update --verbose --computer-name
squid-test-http --server w2k3r2.win2003r2.home -s
HTTP/squid-test.win2003r2.home -k /tmp/PROXY.keytab
 -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-l363GC
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: squid-test-http$
 -- try_machine_keytab_princ: Trying to authenticate for squid-test-http$
from local keytab...
 -- switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-kyOgot
 -- finalize_exec: Authenticated using method 1

 -- ldap_connect: Connecting to LDAP server: w2k3r2.win2003r2.home
try_tls=YES
 -- ldap_connect: Connecting to LDAP server: w2k3r2.win2003r2.home
try_tls=NO
SASL/GSSAPI authentication started
SASL username: squid-test-http$@WIN2003R2.HOME
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=WIN2003R2,dc=HOME
 -- get_default_ou: Determining default OU:
CN=Computers,DC=win2003r2,DC=home
 -- ldap_get_pwdLastSet: pwdLastSet is 129703357107187500
 -- execute: Password last set 0 days ago.
 -- execute: Exiting because password was changed recently.
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context
markus_at_opensuse11:/tmp> klist -ekt /tmp/PROXY.keytab
Keytab name: WRFILE:/tmp/PROXY.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
   2 01/06/12 15:01:50 squid-test-http$@WIN2003R2.HOME (DES cbc mode with
CRC-32)
   2 01/06/12 15:01:50 squid-test-http$@WIN2003R2.HOME (DES cbc mode with
RSA-MD5)
   2 01/06/12 15:01:50 squid-test-http$@WIN2003R2.HOME (ArcFour with
HMAC/md5)
   2 01/06/12 15:01:50 HTTP/squid-test.win2003r2.home_at_WIN2003R2.HOME (DES
cbc mode with CRC-32)
   2 01/06/12 15:01:50 HTTP/squid-test.win2003r2.home_at_WIN2003R2.HOME (DES
cbc mode with RSA-MD5)
   2 01/06/12 15:01:50 HTTP/squid-test.win2003r2.home_at_WIN2003R2.HOME
(ArcFour with HMAC/md5)
Received on Fri Jan 06 2012 - 15:05:10 MST