[squid-users] Re: Re: Re: squid_kerb_auth problem

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 19 Jan 2010 23:02:00 -0000

Hi Jose

Can you install kerbtray from the resource kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
and start it ? It should list if you have got a TGS for HTTP/squid.domain.

Also can you capture port 88(Kerberos) traffic on the client with wireshark
? When you login you should see an AS REQ and REP and when firefox
authenticates to the proxy you should se a TGS REQ for HTTP/squid.domain.

If not can you send me the capture to have a look at it ?

Regards
Markus

"Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
news:4B5596BB.8010103_at_iportalmais.pt...
> Hi,
>
> I have the same problem.
> I have already set network.negotiate-auth.trusted-uris to proxy domain.
> At the firefox (FF) log appears:
> 0[825140]: service = squid.domain
> 0[825140]: using negotiate-sspi
> 0[825140]: nsAuthSSPI::Init
> 0[825140]: InitSSPI
> 0[825140]: Using SPN of [HTTP/squid.domain]
> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> 0[825140]: entering nsAuthSSPI::GetNextToken()
> 0[825140]: Sending a token of length 40
> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> 0[825140]: entering nsAuthSSPI::GetNextToken()
> 0[825140]: Cannot restart authentication sequence!
>
> The http messages between squid an FF are:
>
> FF -> SQUID
> GET http://www.squid-cache.org/ HTTP/1.1
> [...]
>
> SQUID -> FF
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.0.STABLE14
> [...]
> Proxy-Authenticate: Negotiate
> [...]
>
> FF -> SQUID
> GET http://www.squid-cache.org/ HTTP/1.1
> [...]
> Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>
> SQUID -> FF
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.0.STABLE14
> [...]
> Proxy-Authenticate: Negotiate
> [...]
>
>
> I have already IE working, and the http seems similar.
>
> IE -> SQUID
> GET http://www.squid-cache.org/ HTTP/1.1
> [...]
>
> SQUID -> IE
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.0.STABLE14
> [...]
> Proxy-Authenticate: Negotiate
> [...]
>
> IE -> SQUID
> GET http://www.squid-cache.org/ HTTP/1.1
> [...]
> Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>
> SQUID -> IE
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.0.STABLE14
> [...]
> Proxy-Authenticate: Negotiate
> [...]
>
> IE -> SQUID
> GET http://www.squid-cache.org/ HTTP/1.1
> [...]
> Proxy-Authorization: Negotiate
> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...]
> [...]
>
> SQUID -> IE
> HTTP/1.0 200 OK
> [...]
> Proxy-Authentication-Info: Negotiate
> oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...]
> [...]
>
>
> Seems like at first IE use NTLM and at second use kerberos.
>
> I think FF is similar, but FF don't allow the second iteration.
>
> How can I put kerberos as first iteration?
>
> Thanks in advance
> Regards
> Jose
>
> Markus Moeller wrote:
>>
>> The message parseNegTokenInit failed with rc=102 just means the token
>> is not a GSSAPI token wrapped in a SPNEGO token, but a plain GSSAPI
>> token. When you use firefox you have to do a kinit first to store the
>> AS token in the Kerberos cache for Firefox to use and I think Firfox
>> has to be configured with network.negotiate-auth.trusted-uris to be
>> set to the domains of your proxy server.
>>
>> Regards
>> Markus
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001181054n7091ea3aj761a508938de74e3_at_mail.gmail.com...
>> Hi Markus
>> Sorry yes you were right, it was DNS.
>>
>> In our environment we are running two DNS servers. One using MS DNS
>> and the other using unix BIND. The linux server was added to the unix
>> DNS (with name proxy1.domain.com) but not to the MS DNS which was
>> authority for ad.domain.com. Now that I think about it our MS DNS has
>> issues doing reverse lookups for IPs that the unix DNS is authority
>> for (which in this case was proxy1.domain.com).
>>
>> I changed linux server name to proxy1.ad.domain.com and now the
>> squid_kerb_auth_test works.
>> Using your squid_kerb_auth (version 1.0.5) I get:
>> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
>> 2010/01/18 20:25:10| squid_kerb_auth: AF
>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
>> When I try the same thing with the auth from squid-2.7.STABLE7.tar.bz2
>> I get
>> 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit failed with
>> rc=102
>> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
>> 2010/01/18 20:29:07| squid_kerb_auth: AF
>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
>> Is the parseNegTokenInit failed with rc=102 ok?
>>
>> I then tried running squid and used Firefox 3.5.7. I got the following
>> error from squid cache:
>>
>> authenticateNegotiateHandleReply: Failed validating user via
>> Negotiate. Error returned 'type 1 NTLM token'
>>
>> Any ideas? Also I don't get any authentication popups for userid and
>> password...
>>
>> A sample of the log:
>> 2010/01/18 20:47:58| squid_kerb_auth: Got 'YR
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
>> (length: 59).
>> 2010/01/18 20:47:58| squid_kerb_auth: parseNegTokenInit failed with
>> rc=101
>> 2010/01/18 20:47:58| squid_kerb_auth: received type 1 NTLM token
>> 2010/01/18 20:47:58| do_comm_select: 1 fds ready
>> 2010/01/18 20:47:58| cbdataValid: 0x1838d448
>> 2010/01/18 20:47:58| helperStatefulHandleRead: 30 bytes from
>> negotiateauthenticator #1.
>> 2010/01/18 20:47:58| commSetSelect: FD 7 type 1
>> 2010/01/18 20:47:58| helperStatefulHandleRead: end of reply found
>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8
>> 2010/01/18 20:47:58| cbdataValid: 0x185cad18
>> 2010/01/18 20:47:58| helperStatefulReleaseServer: 0x1838d448
>> 2010/01/18 20:47:58| helperStatefulReset: 0x1838d448
>> 2010/01/18 20:47:58| StatefulGetFirstAvailable: Running servers 10.
>> 2010/01/18 20:47:58| authenticateNegotiateHandleReply: Failed
>> validating user via Negotiate. Error returned 'type 1 NTLM token'
>> 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
>> request '0x18648960'.
>> 2010/01/18 20:47:58| cbdataValid: 0x183561a8
>> 2010/01/18 20:47:58| aclCheck: checking 'http_access deny !password'
>> 2010/01/18 20:47:58| aclMatchAclList: checking !password
>> 2010/01/18 20:47:58| aclMatchAcl: checking 'acl password proxy_auth
>> REQUIRED'
>> 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
>> request '0x18648960'.
>> 2010/01/18 20:47:58| authenticateNegotiateAuthenticateUser: need to
>> challenge client 'received'!
>> 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
>> request '0x18648960'.
>> 2010/01/18 20:47:58| aclAuthenticated: returning 0 sending
>> authentication challenge.
>> 2010/01/18 20:47:58| aclCheck: match found, returning 2
>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8
>> 2010/01/18 20:47:58| aclCheckCallback: answer=2
>> 2010/01/18 20:47:58| cbdataValid: 0x185ca298
>> 2010/01/18 20:47:58| The request GET
>> http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
>>
>> is DENIED, because it matched 'password'
>>
>> My acl for this was:
>> 'http_access deny !password'
>>
>> Regards
>> Umesh
>>
>> 2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
>>> Can you check your DNS you should get for
>>>
>>> nslookup name an ip
>>> and for the reverse
>>> nslookup ip the same name.
>>>
>>> Which Kerberos libraries do you use ? Heimdal or MIT and which release ?
>>>
>>> Markus
>>>
>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
>>> Hi
>>>
>>> When I tried
>>> ./squid_kerb_auth_test proxy1
>>> or
>>> ./squid_kerb_auth_test proxy1.domain.com
>>> I got
>>> 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
>>> failed: Unspecified GSS failure. Minor code may provide more
>>> information. Unknown code krb5 7
>>> Token: NULL
>>>
>>> But I got a token if I used
>>> ./squid_kerb_auth_test domain.com
>>> or
>>> ./squid_kerb_auth_test adserver.domain.com
>>>
>>> Using this token and squid auth in the same directory I got
>>>
>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
>>> failure. Minor code may provide more information. No error
>>> BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>>> code may provide more information. No error
>>>
>>> Using the same token on the latest compiled squid
>>> /usr/local/squid/libexec/squid_kerb_auth -d
>>> I got
>>>
>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with
>>> rc=102
>>> 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed:
>>> Unspecified GSS failure. Minor code may provide more information. No
>>> error
>>> NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>>> code may provide more information. No error
>>>
>>> Any ideas?
>>> Regards
>>> Umesh
>>>
>>>
>>>
>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>
>>>> There should be a squid_kerb_auth_test application in the same source
>>>> directory as squid_kerb_auth.
>>>>
>>>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test squid-fqdn which
>>>> should give you a token like:
>>>>
>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>
>>>> which you can the use with squid_kerb_auth like
>>>>
>>>> export KRB5_KTNAME=/path-to-squid.keytab.
>>>> ./squid_kerb_auth -d
>>>> YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775).
>>>> 2010/01/15 14:40:29| squid_kerb_auth: Decode
>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
>>>> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF
>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>> markus_at_SUSE.HOME
>>>>
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>>>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>>>
>>>>> When you use ktpass or msktutil you have to specify a different AD
>>>>> object
>>>>> then your samba object and remove the HTTP/... entries as service
>>>>> principal
>>>>> from your samba AD object. If you want to have only one AD object you
>>>>> have
>>>>> to use the net keytab command as described in the wiki.
>>>>>
>>>>>
>>>>> Regards
>>>>> Markus
>>>>>
>>>>>
>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>>>> Hi
>>>>> Ok. Did that now and I got:
>>>>>
>>>>> kvno HTTP/proxy1.domain.com
>>>>> HTTP/proxy1_at_DOMAIN.COM: kvno = 5
>>>>>
>>>>> This number is different from the the keytab number.
>>>>> How do I correct this?
>>>>>
>>>>> Yes I did use samba (net ads join -U adminuserid). Then I tried the
>>>>> msktutil. Then finally ktpass.
>>>>>
>>>>> During the net ads join I got:
>>>>>
>>>>> # net ads join -U userid
>>>>> userid's password:
>>>>> Using short domain name -- DOMAIN
>>>>> DNS update failed!
>>>>> Joined 'PROXY1' to realm 'DOMAIN.COM'
>>>>>
>>>>> Is the DNS update a problem?
>>>>>
>>>>> Regards
>>>>> Umesh
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>
>>>>>> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before
>>>>>> you
>>>>>> issue the kvno command. Did you use the sambe netjoin command to
>>>>>> create
>>>>>> the as account and the keytab ?
>>>>>>
>>>>>> Markus
>>>>>>
>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>>>> Hi Markus
>>>>>> I've checked with ADSIEDIT and found a single entry for the linux
>>>>>> server named proxy1.
>>>>>> Clicking on it's properties I found the following entries for service
>>>>>> Principal Name:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>>>>
>>>>>>
>>>>>>
>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>>>>
>>>>>>
>>>>>> On the linux box:
>>>>>>
>>>>>> # klist -ekt /etc/squid/HTTP.keytab
>>>>>> Keytab name: FILE:/etc/squid/HTTP.keytab
>>>>>> KVNO Timestamp Principal
>>>>>> ---- -----------------
>>>>>> --------------------------------------------------------
>>>>>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
>>>>>> with HMAC/md5)
>>>>>>
>>>>>> # kvno HTTP/proxy1.domain.com
>>>>>> kvno: Ticket expired while getting credentials for
>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
>>>>>> # kvno HTTP/proxy1
>>>>>> kvno: Ticket expired while getting credentials for
>>>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>>>
>>>>>> Should I remove the entry on AD, rejoin the pc to AD and create the
>>>>>> keytab again?
>>>>>> Which mechanism should I use to create the keytab?
>>>>>> Is my DNS correct if the pc came up on AD as proxy1 should it be the
>>>>>> fqdn (proxy1.domain.com)?
>>>>>>
>>>>>> Regards
>>>>>> Umesh
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>
>>>>>>> On AD you can use ADSIEDIT (
>>>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
>>>>>>> )
>>>>>>> to
>>>>>>> search for entries and delete,modify them. The best instructions are
>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>
>>>>>>> Let me know what you get once you deleted the old entry. Another
>>>>>>> check
>>>>>>> is
>>>>>>> to use the kvno tool which you should have when you use MIT
>>>>>>> Kerberos.
>>>>>>>
>>>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>>>>>>> squid.keytab
>>>>>>> e.g.
>>>>>>>
>>>>>>> # klist -ekt /etc/squid/squid.keytab
>>>>>>> Keytab name: FILE:/etc/squid/squid.keytab
>>>>>>> KVNO Timestamp Principal
>>>>>>> ---- -----------------
>>>>>>> --------------------------------------------------------
>>>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour
>>>>>>> with
>>>>>>> HMAC/md5)
>>>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple
>>>>>>> DES cbc
>>>>>>> mode with HMAC/sha1)
>>>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc
>>>>>>> mode
>>>>>>> with
>>>>>>> CRC-32)
>>>>>>>
>>>>>>> #kvno HTTP/opensuse11.suse.home
>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>> Markus
>>>>>>>
>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>>>> Hi,
>>>>>>> I'm new to this. I've run the following command on the server:
>>>>>>>
>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>>>>>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>>>
>>>>>>> and get
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base <OU=name,DC=domain,DC=com> with scope subtree
>>>>>>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>>>>>>> # requesting: ALL
>>>>>>> #
>>>>>>>
>>>>>>> # search result
>>>>>>>
>>>>>>> # numResponses: 1
>>>>>>>
>>>>>>> Is it possible to check directly on AD if this service principal
>>>>>>> name
>>>>>>> exits?
>>>>>>> How else can I test if this keytab works?
>>>>>>> If I create a new keytab what is the procedure of getting rid of the
>>>>>>> old one and retesting (what should be done on AD and the linux box)?
>>>>>>>
>>>>>>> Are there any docs that will help me with this?
>>>>>>>
>>>>>>> Sorry for being a pain and thanks again.
>>>>>>> Regards
>>>>>>> Umesh
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>
>>>>>>>> Can you check with an ldap query (e.g. with ldapadmin from
>>>>>>>> sourceforge)
>>>>>>>> or
>>>>>>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if
>>>>>>>> you
>>>>>>>> have
>>>>>>>> duplicate entries ?
>>>>>>>>
>>>>>>>> This kinit -k -t /etc/squid/squid.keytab
>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS will
>>>>>>>> only
>>>>>>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I
>>>>>>>> think
>>>>>>>> is
>>>>>>>> not the case with ktpass.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Markus
>>>>>>>>
>>>>>>>>
>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I'm trying to get the squid helper squid_kerb_auth to work against
>>>>>>>>> our
>>>>>>>>> Active Directory (win 2003 sp2).
>>>>>>>>>
>>>>>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on
>>>>>>>>> CentOS
>>>>>>>>> 5.4
>>>>>>>>> 64 bit.
>>>>>>>>>
>>>>>>>>> Squid Cache: Version 2.7.STABLE7
>>>>>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>>>>>>> '--disable-wccpv2' '--enable-large-cache-files'
>>>>>>>>> '--with-large-files'
>>>>>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>>>>>>> '--enable-ntlm-auth-helpers=SMB'
>>>>>>>>> '--enable-auth=basic,ntlm,negotiate'
>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> A keytab file was create on AD for squid
>>>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>>>
>>>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>>>> -pass password -out HTTP.keytab
>>>>>>>>>
>>>>>>>>> Transferred the file on the CentOS server and placed it
>>>>>>>>> in /etc/squid/HTTP.keytab
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>
>>>>>>>>> I get the error message:
>>>>>>>>> kinit(v5): Client not found in Kerberos database while getting
>>>>>>>>> initial
>>>>>>>>> credentials
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I've also tried creating the keytab file using
>>>>>>>>> msktutil or samba according to the following doc:
>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>
>>>>>>>>> I get the same error.
>>>>>>>>>
>>>>>>>>> How do I sort out this problem?
>>>>>>>>>
>>>>>>>>> Thanks in advance.
>>>>>>>>> Regards
>>>>>>>>> Umesh
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
Received on Tue Jan 19 2010 - 23:02:54 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 20 2010 - 12:00:04 MST