[squid-users] Re: Re: Re: Re: squid_kerb_auth problem

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 20 Jan 2010 20:46:31 -0000

Firstly for non domain members you can not get SSO with Negotiate/Kerberos
(as far as I know). When you get the popup asking for a username/password
and you provide user_at_DOMAIN with the password the client tries to find the
domain controller using some Windows protocols. I think if unsuccessful it
will try NTLM with its hostname as domain. To help the client finding the
AD domain controller you should provide via DHCP or hardcoded a WINS server
which has the domain information.

Regards
Markus

"Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
news:4B56F8D7.4060704_at_iportalmais.pt...
> Hi Markus,
>
> Using firefox at windows machine (not domain member)
> - kerbtray don't show any credentials
> - I don't have traffic at port 88.
> - Don't work.
>
> Using IE8 at windows machine (not domain member)
> - kerbtray don't show any credentials
> - At port 88 there are a TGS-REQ and a TGS-REP
> - It works
>
> Using firefox at windows machine (domain member of windows server)
> - kerbtray show me the user principal and the service principal
> HTTP/squid.domain.
> - At port 88 there are a TGS-REQ and a TGS-REP
> - It works
>
> Using IE8 at windows machine (domain member of windows server)
> - kerbtray show me the user principal and the service principal
> HTTP/squid.domain.
> - At port 88 there are a TGS-REQ and a TGS-REP
> - It works
>
> Regards
> Jose
>
> Markus Moeller wrote:
>> Hi Jose
>>
>> Can you install kerbtray from the resource kit
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
>> and start it ? It should list if you have got a TGS for
>> HTTP/squid.domain.
>>
>> Also can you capture port 88(Kerberos) traffic on the client with
>> wireshark ? When you login you should see an AS REQ and REP and
>> when firefox authenticates to the proxy you should se a TGS REQ
>> for HTTP/squid.domain.
>>
>> If not can you send me the capture to have a look at it ?
>>
>> Regards Markus
>>
>> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
>> news:4B5596BB.8010103_at_iportalmais.pt...
>>> Hi,
>>>
>>> I have the same problem. I have already set
>>> network.negotiate-auth.trusted-uris to proxy domain. At the
>>> firefox (FF) log appears: 0[825140]: service = squid.domain
>>> 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init
>>> 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]
>>> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>>> [challenge=Negotiate] 0[825140]: entering
>>> nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length
>>> 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>>> [challenge=Negotiate] 0[825140]: entering
>>> nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart
>>> authentication sequence!
>>>
>>> The http messages between squid an FF are:
>>>
>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>
>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>
>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>> Proxy-Authorization: Negotiate
>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>>
>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>
>>>
>>> I have already IE working, and the http seems similar.
>>>
>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>
>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>
>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>> Proxy-Authorization: Negotiate
>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>>
>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>
>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>> Proxy-Authorization: Negotiate
>>> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...]
>>>
>>> SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info:
>>> Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...]
>>>
>>>
>>> Seems like at first IE use NTLM and at second use kerberos.
>>>
>>> I think FF is similar, but FF don't allow the second iteration.
>>>
>>> How can I put kerberos as first iteration?
>>>
>>> Thanks in advance Regards Jose
>>>
>>> Markus Moeller wrote:
>>>>
>>>> The message parseNegTokenInit failed with rc=102 just means the
>>>> token is not a GSSAPI token wrapped in a SPNEGO token, but a
>>>> plain GSSAPI token. When you use firefox you have to do a kinit
>>>> first to store the AS token in the Kerberos cache for Firefox
>>>> to use and I think Firfox has to be configured with
>>>> network.negotiate-auth.trusted-uris to be set to the domains of
>>>> your proxy server.
>>>>
>>>> Regards Markus
>>>>
>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>> news:c3b47c041001181054n7091ea3aj761a508938de74e3_at_mail.gmail.com...
>>>> Hi Markus Sorry yes you were right, it was DNS.
>>>>
>>>> In our environment we are running two DNS servers. One using MS
>>>> DNS and the other using unix BIND. The linux server was added
>>>> to the unix DNS (with name proxy1.domain.com) but not to the MS
>>>> DNS which was authority for ad.domain.com. Now that I think
>>>> about it our MS DNS has issues doing reverse lookups for IPs
>>>> that the unix DNS is authority for (which in this case was
>>>> proxy1.domain.com).
>>>>
>>>> I changed linux server name to proxy1.ad.domain.com and now the
>>>> squid_kerb_auth_test works. Using your squid_kerb_auth
>>>> (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>> user_at_AD.DOMAIN.COM 2010/01/18 20:25:10| squid_kerb_auth: AF
>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM When I try
>>>> the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I
>>>> get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit
>>>> failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>> user_at_AD.DOMAIN.COM 2010/01/18 20:29:07| squid_kerb_auth: AF
>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM Is the
>>>> parseNegTokenInit failed with rc=102 ok?
>>>>
>>>> I then tried running squid and used Firefox 3.5.7. I got the
>>>> following error from squid cache:
>>>>
>>>> authenticateNegotiateHandleReply: Failed validating user via
>>>> Negotiate. Error returned 'type 1 NTLM token'
>>>>
>>>> Any ideas? Also I don't get any authentication popups for
>>>> userid and password...
>>>>
>>>> A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got
>>>> 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
>>>> from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth:
>>>> parseNegTokenInit failed with rc=101 2010/01/18 20:47:58|
>>>> squid_kerb_auth: received type 1 NTLM token 2010/01/18
>>>> 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58|
>>>> cbdataValid: 0x1838d448 2010/01/18 20:47:58|
>>>> helperStatefulHandleRead: 30 bytes from negotiateauthenticator
>>>> #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18
>>>> 20:47:58| helperStatefulHandleRead: end of reply found
>>>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18
>>>> 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58|
>>>> helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58|
>>>> helperStatefulReset: 0x1838d448 2010/01/18 20:47:58|
>>>> StatefulGetFirstAvailable: Running servers 10. 2010/01/18
>>>> 20:47:58| authenticateNegotiateHandleReply: Failed validating
>>>> user via Negotiate. Error returned 'type 1 NTLM token'
>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>> cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking
>>>> 'http_access deny !password' 2010/01/18 20:47:58|
>>>> aclMatchAclList: checking !password 2010/01/18 20:47:58|
>>>> aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>> authenticateNegotiateAuthenticateUser: need to challenge client
>>>> 'received'! 2010/01/18 20:47:58| authenticateValidateUser:
>>>> Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>> aclAuthenticated: returning 0 sending authentication challenge.
>>>> 2010/01/18 20:47:58| aclCheck: match found, returning 2
>>>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18
>>>> 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58|
>>>> cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET
>>>>
> http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
>>>>
>>>>
>>>>
>>>> is DENIED, because it matched 'password'
>>>>
>>>> My acl for this was: 'http_access deny !password'
>>>>
>>>> Regards Umesh
>>>>
>>>> 2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>> Can you check your DNS you should get for
>>>>>
>>>>> nslookup name an ip and for the reverse nslookup ip the same
>>>>> name.
>>>>>
>>>>> Which Kerberos libraries do you use ? Heimdal or MIT and
>>>>> which release ?
>>>>>
>>>>> Markus
>>>>>
>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
>>>>> Hi
>>>>>
>>>>> When I tried ./squid_kerb_auth_test proxy1 or
>>>>> ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16
>>>>> 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
>>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>>> information. Unknown code krb5 7 Token: NULL
>>>>>
>>>>> But I got a token if I used ./squid_kerb_auth_test domain.com
>>>>> or ./squid_kerb_auth_test adserver.domain.com
>>>>>
>>>>> Using this token and squid auth in the same directory I got
>>>>>
>>>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified
>>>>> GSS failure. Minor code may provide more information. No
>>>>> error BH gss_accept_sec_context() failed: Unspecified GSS
>>>>> failure. Minor code may provide more information. No error
>>>>>
>>>>> Using the same token on the latest compiled squid
>>>>> /usr/local/squid/libexec/squid_kerb_auth -d I got
>>>>>
>>>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit
>>>>> failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth:
>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>>> Minor code may provide more information. No error NA
>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>>> Minor code may provide more information. No error
>>>>>
>>>>> Any ideas? Regards Umesh
>>>>>
>>>>>
>>>>>
>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>
>>>>>> There should be a squid_kerb_auth_test application in the
>>>>>> same source directory as squid_kerb_auth.
>>>>>>
>>>>>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test
>>>>>> squid-fqdn which should give you a token like:
>>>>>>
>>>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>>
>>>>>> which you can the use with squid_kerb_auth like
>>>>>>
>>>>>> export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth
>>>>>> -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>>>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid
>>>>>> (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode
>>>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length:
>>>>>> 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF
>>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>>
>>>>>>
>>>>>> Regards Markus
>>>>>>
>>>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>>>>>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>>>>>
>>>>>>> When you use ktpass or msktutil you have to specify a
>>>>>>> different AD object then your samba object and remove the
>>>>>>> HTTP/... entries as service principal from your samba AD
>>>>>>> object. If you want to have only one AD object you have
>>>>>>> to use the net keytab command as described in the wiki.
>>>>>>>
>>>>>>>
>>>>>>> Regards Markus
>>>>>>>
>>>>>>>
>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>>>>>>
>>>>>>>
>>>>>>> Hi Ok. Did that now and I got:
>>>>>>>
>>>>>>> kvno HTTP/proxy1.domain.com HTTP/proxy1_at_DOMAIN.COM: kvno
>>>>>>> = 5
>>>>>>>
>>>>>>> This number is different from the the keytab number. How
>>>>>>> do I correct this?
>>>>>>>
>>>>>>> Yes I did use samba (net ads join -U adminuserid). Then I
>>>>>>> tried the msktutil. Then finally ktpass.
>>>>>>>
>>>>>>> During the net ads join I got:
>>>>>>>
>>>>>>> # net ads join -U userid userid's password: Using short
>>>>>>> domain name -- DOMAIN DNS update failed! Joined 'PROXY1'
>>>>>>> to realm 'DOMAIN.COM'
>>>>>>>
>>>>>>> Is the DNS update a problem?
>>>>>>>
>>>>>>> Regards Umesh
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>
>>>>>>>> Sorry I forgot to say that you have to do a kinit
>>>>>>>> aduser_at_REALM before you issue the kvno command. Did you
>>>>>>>> use the sambe netjoin command to create the as account
>>>>>>>> and the keytab ?
>>>>>>>>
>>>>>>>> Markus
>>>>>>>>
>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>> message
>>>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Markus I've checked with ADSIEDIT and found a single
>>>>>>>> entry for the linux server named proxy1. Clicking on
>>>>>>>> it's properties I found the following entries for
>>>>>>>> service Principal Name:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On the linux box:
>>>>>>>>
>>>>>>>> # klist -ekt /etc/squid/HTTP.keytab Keytab name:
>>>>>>>> FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
>>>>>>>> ---- -----------------
>>>>>>>> --------------------------------------------------------
>>>>>>>> 7 01/01/70 02:00:00
>>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour with
>>>>>>>> HMAC/md5)
>>>>>>>>
>>>>>>>> # kvno HTTP/proxy1.domain.com kvno: Ticket expired
>>>>>>>> while getting credentials for
>>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM # kvno HTTP/proxy1
>>>>>>>> kvno: Ticket expired while getting credentials for
>>>>>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>>>>>
>>>>>>>> Should I remove the entry on AD, rejoin the pc to AD
>>>>>>>> and create the keytab again? Which mechanism should I
>>>>>>>> use to create the keytab? Is my DNS correct if the pc
>>>>>>>> came up on AD as proxy1 should it be the fqdn
>>>>>>>> (proxy1.domain.com)?
>>>>>>>>
>>>>>>>> Regards Umesh
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>
>>>>>>>>> On AD you can use ADSIEDIT (
>>>>>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ) to search for entries and delete,modify them. The
>>>>>>>>> best instructions are
>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Let me know what you get once you deleted the old
>>>>>>>>> entry. Another check is to use the kvno tool which
>>>>>>>>> you should have when you use MIT Kerberos.
>>>>>>>>>
>>>>>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as
>>>>>>>>> klist -ekt squid.keytab e.g.
>>>>>>>>>
>>>>>>>>> # klist -ekt /etc/squid/squid.keytab Keytab name:
>>>>>>>>> FILE:/etc/squid/squid.keytab KVNO Timestamp Principal
>>>>>>>>> ---- -----------------
>>>>>>>>> --------------------------------------------------------
>>>>>>>>> 3 11/25/08 20:54:17
>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>>>>>>>> HMAC/md5) 3 11/25/08 20:54:17
>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>>>>>>>> mode with HMAC/sha1) 3 11/25/08 20:54:17
>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>>>>>>>> with CRC-32)
>>>>>>>>>
>>>>>>>>> #kvno HTTP/opensuse11.suse.home
>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards Markus
>>>>>>>>>
>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>> message
>>>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi, I'm new to this. I've run the following command
>>>>>>>>> on the server:
>>>>>>>>>
>>>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h
>>>>>>>>> domainfqdn -p 389 -b "OU=name,DC=domain,DC=com"
>>>>>>>>> "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>>>>>
>>>>>>>>> and get # # LDAPv3 # base <OU=name,DC=domain,DC=com>
>>>>>>>>> with scope subtree # filter:
>>>>>>>>> serviceprincipalname=HTTP/fqdn_at_REALM # requesting:
>>>>>>>>> ALL #
>>>>>>>>>
>>>>>>>>> # search result
>>>>>>>>>
>>>>>>>>> # numResponses: 1
>>>>>>>>>
>>>>>>>>> Is it possible to check directly on AD if this
>>>>>>>>> service principal name exits? How else can I test if
>>>>>>>>> this keytab works? If I create a new keytab what is
>>>>>>>>> the procedure of getting rid of the old one and
>>>>>>>>> retesting (what should be done on AD and the linux
>>>>>>>>> box)?
>>>>>>>>>
>>>>>>>>> Are there any docs that will help me with this?
>>>>>>>>>
>>>>>>>>> Sorry for being a pain and thanks again. Regards
>>>>>>>>> Umesh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>>
>>>>>>>>>> Can you check with an ldap query (e.g. with
>>>>>>>>>> ldapadmin from sourceforge) or search with a filter
>>>>>>>>>> "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>>>>>>>> have duplicate entries ?
>>>>>>>>>>
>>>>>>>>>> This kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS will only work if the
>>>>>>>>>> userprincipal name is HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>> which I think is not the case with ktpass.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards Markus
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>>> message
>>>>>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to get the squid helper
>>>>>>>>>>> squid_kerb_auth to work against our Active
>>>>>>>>>>> Directory (win 2003 sp2).
>>>>>>>>>>>
>>>>>>>>>>> I've compiled the latest squid version
>>>>>>>>>>> (squid-2.7.STABLE7)on CentOS 5.4 64 bit.
>>>>>>>>>>>
>>>>>>>>>>> Squid Cache: Version 2.7.STABLE7 configure
>>>>>>>>>>> options: '--prefix=/usr/local/squid'
>>>>>>>>>>> '--disable-wccp' '--disable-wccpv2'
>>>>>>>>>>> '--enable-large-cache-files' '--with-large-files'
>>>>>>>>>>> '--enable-delay-pools'
>>>>>>>>>>> '--enable-cachemgr-hostname' '=fqdn'
>>>>>>>>>>> '--enable-ntlm-auth-helpers=SMB'
>>>>>>>>>>> '--enable-auth=basic,ntlm,negotiate'
>>>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>>>>>>>>>>> '--enable-snmp'
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> A keytab file was create on AD for squid
>>>>>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>>>>>
>>>>>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>>>>>> -pass password -out HTTP.keytab
>>>>>>>>>>>
>>>>>>>>>>> Transferred the file on the CentOS server and
>>>>>>>>>>> placed it in /etc/squid/HTTP.keytab
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>>>
>>>>>>>>>>> I get the error message: kinit(v5): Client not
>>>>>>>>>>> found in Kerberos database while getting initial
>>>>>>>>>>> credentials
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I've also tried creating the keytab file using
>>>>>>>>>>> msktutil or samba according to the following doc:
>>>>>>>>>>>
>>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I get the same error.
>>>>>>>>>>>
>>>>>>>>>>> How do I sort out this problem?
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance. Regards Umesh
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
>
Received on Wed Jan 20 2010 - 20:54:57 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 22 2010 - 12:00:04 MST