Re: [squid-users] Re: Re: Re: Re: squid_kerb_auth problem

From: Jose Lopes <jlopes_at_iportalmais.pt>
Date: Thu, 21 Jan 2010 19:43:51 +0000

Hi Markus,

I have already defined Windows Server as WINS and DNS for windows client.
I check again the messages between IE8 and Windows Server and I verify
there are AS-REQ, AS-REP, TGS-REQ and TGS-REP packages (for non domain
member).

To me, seems like the API SSPI, that firefox use, first try NTLM and
second try kerberos. But firefox deny the second try.
And i don't know how to sort out this problem.

Regards
Jose

Markus Moeller wrote:
> Firstly for non domain members you can not get SSO with
> Negotiate/Kerberos (as far as I know). When you get the popup
> asking for a username/password and you provide user_at_DOMAIN with the
> password the client tries to find the domain controller using some
> Windows protocols. I think if unsuccessful it will try NTLM with its
> hostname as domain. To help the client finding the AD domain
> controller you should provide via DHCP or hardcoded a WINS server
> which has the domain information.
>
> Regards
> Markus
>
>
> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
> news:4B56F8D7.4060704_at_iportalmais.pt...
>> Hi Markus,
>>
>> Using firefox at windows machine (not domain member)
>> - kerbtray don't show any credentials
>> - I don't have traffic at port 88.
>> - Don't work.
>>
>> Using IE8 at windows machine (not domain member)
>> - kerbtray don't show any credentials
>> - At port 88 there are a TGS-REQ and a TGS-REP
>> - It works
>>
>> Using firefox at windows machine (domain member of windows server)
>> - kerbtray show me the user principal and the service principal
>> HTTP/squid.domain.
>> - At port 88 there are a TGS-REQ and a TGS-REP
>> - It works
>>
>> Using IE8 at windows machine (domain member of windows server)
>> - kerbtray show me the user principal and the service principal
>> HTTP/squid.domain.
>> - At port 88 there are a TGS-REQ and a TGS-REP
>> - It works
>>
>> Regards
>> Jose
>>
>> Markus Moeller wrote:
>>> Hi Jose
>>>
>>> Can you install kerbtray from the resource kit
>>>
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
>>>
>>> and start it ? It should list if you have got a TGS for
>>> HTTP/squid.domain.
>>>
>>> Also can you capture port 88(Kerberos) traffic on the client with
>>> wireshark ? When you login you should see an AS REQ and REP and
>>> when firefox authenticates to the proxy you should se a TGS REQ
>>> for HTTP/squid.domain.
>>>
>>> If not can you send me the capture to have a look at it ?
>>>
>>> Regards Markus
>>>
>>> "Jose Lopes" <jlopes_at_iportalmais.pt> wrote in message
>>> news:4B5596BB.8010103_at_iportalmais.pt...
>>>> Hi,
>>>>
>>>> I have the same problem. I have already set
>>>> network.negotiate-auth.trusted-uris to proxy domain. At the
>>>> firefox (FF) log appears: 0[825140]: service = squid.domain
>>>> 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init
>>>> 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]
>>>> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>>>> [challenge=Negotiate] 0[825140]: entering
>>>> nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length
>>>> 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
>>>> [challenge=Negotiate] 0[825140]: entering
>>>> nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart
>>>> authentication sequence!
>>>>
>>>> The http messages between squid an FF are:
>>>>
>>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>
>>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>
>>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>> Proxy-Authorization: Negotiate
>>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>>>
>>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>
>>>>
>>>> I have already IE working, and the http seems similar.
>>>>
>>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>>
>>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>
>>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>> Proxy-Authorization: Negotiate
>>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>>>
>>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
>>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]
>>>>
>>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
>>>> Proxy-Authorization: Negotiate
>>>> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...]
>>>>
>>>> SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info:
>>>> Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...]
>>>>
>>>>
>>>> Seems like at first IE use NTLM and at second use kerberos.
>>>>
>>>> I think FF is similar, but FF don't allow the second iteration.
>>>>
>>>> How can I put kerberos as first iteration?
>>>>
>>>> Thanks in advance Regards Jose
>>>>
>>>> Markus Moeller wrote:
>>>>>
>>>>> The message parseNegTokenInit failed with rc=102 just means the
>>>>> token is not a GSSAPI token wrapped in a SPNEGO token, but a
>>>>> plain GSSAPI token. When you use firefox you have to do a kinit
>>>>> first to store the AS token in the Kerberos cache for Firefox
>>>>> to use and I think Firfox has to be configured with
>>>>> network.negotiate-auth.trusted-uris to be set to the domains of
>>>>> your proxy server.
>>>>>
>>>>> Regards Markus
>>>>>
>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>> news:c3b47c041001181054n7091ea3aj761a508938de74e3_at_mail.gmail.com...
>>>>> Hi Markus Sorry yes you were right, it was DNS.
>>>>>
>>>>> In our environment we are running two DNS servers. One using MS
>>>>> DNS and the other using unix BIND. The linux server was added
>>>>> to the unix DNS (with name proxy1.domain.com) but not to the MS
>>>>> DNS which was authority for ad.domain.com. Now that I think
>>>>> about it our MS DNS has issues doing reverse lookups for IPs
>>>>> that the unix DNS is authority for (which in this case was
>>>>> proxy1.domain.com).
>>>>>
>>>>> I changed linux server name to proxy1.ad.domain.com and now the
>>>>> squid_kerb_auth_test works. Using your squid_kerb_auth
>>>>> (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>>> user_at_AD.DOMAIN.COM 2010/01/18 20:25:10| squid_kerb_auth: AF
>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM When I try
>>>>> the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I
>>>>> get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit
>>>>> failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>>>> user_at_AD.DOMAIN.COM 2010/01/18 20:29:07| squid_kerb_auth: AF
>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM Is the
>>>>> parseNegTokenInit failed with rc=102 ok?
>>>>>
>>>>> I then tried running squid and used Firefox 3.5.7. I got the
>>>>> following error from squid cache:
>>>>>
>>>>> authenticateNegotiateHandleReply: Failed validating user via
>>>>> Negotiate. Error returned 'type 1 NTLM token'
>>>>>
>>>>> Any ideas? Also I don't get any authentication popups for
>>>>> userid and password...
>>>>>
>>>>> A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got
>>>>> 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
>>>>> from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth:
>>>>> parseNegTokenInit failed with rc=101 2010/01/18 20:47:58|
>>>>> squid_kerb_auth: received type 1 NTLM token 2010/01/18
>>>>> 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58|
>>>>> cbdataValid: 0x1838d448 2010/01/18 20:47:58|
>>>>> helperStatefulHandleRead: 30 bytes from negotiateauthenticator
>>>>> #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18
>>>>> 20:47:58| helperStatefulHandleRead: end of reply found
>>>>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18
>>>>> 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58|
>>>>> helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58|
>>>>> helperStatefulReset: 0x1838d448 2010/01/18 20:47:58|
>>>>> StatefulGetFirstAvailable: Running servers 10. 2010/01/18
>>>>> 20:47:58| authenticateNegotiateHandleReply: Failed validating
>>>>> user via Negotiate. Error returned 'type 1 NTLM token'
>>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>>> cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking
>>>>> 'http_access deny !password' 2010/01/18 20:47:58|
>>>>> aclMatchAclList: checking !password 2010/01/18 20:47:58|
>>>>> aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
>>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated
>>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>>> authenticateNegotiateAuthenticateUser: need to challenge client
>>>>> 'received'! 2010/01/18 20:47:58| authenticateValidateUser:
>>>>> Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58|
>>>>> aclAuthenticated: returning 0 sending authentication challenge.
>>>>> 2010/01/18 20:47:58| aclCheck: match found, returning 2
>>>>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18
>>>>> 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58|
>>>>> cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET
>>>>>
>>
http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
>>
>>>>>
>>>>>
>>>>>
>>>>> is DENIED, because it matched 'password'
>>>>>
>>>>> My acl for this was: 'http_access deny !password'
>>>>>
>>>>> Regards Umesh
>>>>>
>>>>> 2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>> Can you check your DNS you should get for
>>>>>>
>>>>>> nslookup name an ip and for the reverse nslookup ip the same
>>>>>> name.
>>>>>>
>>>>>> Which Kerberos libraries do you use ? Heimdal or MIT and
>>>>>> which release ?
>>>>>>
>>>>>> Markus
>>>>>>
>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
>>>>>> Hi
>>>>>>
>>>>>> When I tried ./squid_kerb_auth_test proxy1 or
>>>>>> ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16
>>>>>> 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
>>>>>> failed: Unspecified GSS failure. Minor code may provide more
>>>>>> information. Unknown code krb5 7 Token: NULL
>>>>>>
>>>>>> But I got a token if I used ./squid_kerb_auth_test domain.com
>>>>>> or ./squid_kerb_auth_test adserver.domain.com
>>>>>>
>>>>>> Using this token and squid auth in the same directory I got
>>>>>>
>>>>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified
>>>>>> GSS failure. Minor code may provide more information. No
>>>>>> error BH gss_accept_sec_context() failed: Unspecified GSS
>>>>>> failure. Minor code may provide more information. No error
>>>>>>
>>>>>> Using the same token on the latest compiled squid
>>>>>> /usr/local/squid/libexec/squid_kerb_auth -d I got
>>>>>>
>>>>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit
>>>>>> failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth:
>>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>>>> Minor code may provide more information. No error NA
>>>>>> gss_accept_sec_context() failed: Unspecified GSS failure.
>>>>>> Minor code may provide more information. No error
>>>>>>
>>>>>> Any ideas? Regards Umesh
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>
>>>>>>> There should be a squid_kerb_auth_test application in the
>>>>>>> same source directory as squid_kerb_auth.
>>>>>>>
>>>>>>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test
>>>>>>> squid-fqdn which should give you a token like:
>>>>>>>
>>>>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>>>
>>>>>>> which you can the use with squid_kerb_auth like
>>>>>>>
>>>>>>> export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth
>>>>>>> -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>>>>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid
>>>>>>> (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode
>>>>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length:
>>>>>>> 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF
>>>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>>>>>>
>>>>>>>
>>>>>>> Regards Markus
>>>>>>>
>>>>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>>>>>>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>>>>>>
>>>>>>>> When you use ktpass or msktutil you have to specify a
>>>>>>>> different AD object then your samba object and remove the
>>>>>>>> HTTP/... entries as service principal from your samba AD
>>>>>>>> object. If you want to have only one AD object you have
>>>>>>>> to use the net keytab command as described in the wiki.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards Markus
>>>>>>>>
>>>>>>>>
>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Ok. Did that now and I got:
>>>>>>>>
>>>>>>>> kvno HTTP/proxy1.domain.com HTTP/proxy1_at_DOMAIN.COM: kvno
>>>>>>>> = 5
>>>>>>>>
>>>>>>>> This number is different from the the keytab number. How
>>>>>>>> do I correct this?
>>>>>>>>
>>>>>>>> Yes I did use samba (net ads join -U adminuserid). Then I
>>>>>>>> tried the msktutil. Then finally ktpass.
>>>>>>>>
>>>>>>>> During the net ads join I got:
>>>>>>>>
>>>>>>>> # net ads join -U userid userid's password: Using short
>>>>>>>> domain name -- DOMAIN DNS update failed! Joined 'PROXY1'
>>>>>>>> to realm 'DOMAIN.COM'
>>>>>>>>
>>>>>>>> Is the DNS update a problem?
>>>>>>>>
>>>>>>>> Regards Umesh
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>
>>>>>>>>> Sorry I forgot to say that you have to do a kinit
>>>>>>>>> aduser_at_REALM before you issue the kvno command. Did you
>>>>>>>>> use the sambe netjoin command to create the as account
>>>>>>>>> and the keytab ?
>>>>>>>>>
>>>>>>>>> Markus
>>>>>>>>>
>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>> message
>>>>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Markus I've checked with ADSIEDIT and found a single
>>>>>>>>> entry for the linux server named proxy1. Clicking on
>>>>>>>>> it's properties I found the following entries for
>>>>>>>>> service Principal Name:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On the linux box:
>>>>>>>>>
>>>>>>>>> # klist -ekt /etc/squid/HTTP.keytab Keytab name:
>>>>>>>>> FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
>>>>>>>>> ---- -----------------
>>>>>>>>> --------------------------------------------------------
>>>>>>>>> 7 01/01/70 02:00:00
>>>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour with
>>>>>>>>> HMAC/md5)
>>>>>>>>>
>>>>>>>>> # kvno HTTP/proxy1.domain.com kvno: Ticket expired
>>>>>>>>> while getting credentials for
>>>>>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM # kvno HTTP/proxy1
>>>>>>>>> kvno: Ticket expired while getting credentials for
>>>>>>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>>>>>>
>>>>>>>>> Should I remove the entry on AD, rejoin the pc to AD
>>>>>>>>> and create the keytab again? Which mechanism should I
>>>>>>>>> use to create the keytab? Is my DNS correct if the pc
>>>>>>>>> came up on AD as proxy1 should it be the fqdn
>>>>>>>>> (proxy1.domain.com)?
>>>>>>>>>
>>>>>>>>> Regards Umesh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>>
>>>>>>>>>> On AD you can use ADSIEDIT (
>>>>>>>>>>
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ) to search for entries and delete,modify them. The
>>>>>>>>>> best instructions are
>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Let me know what you get once you deleted the old
>>>>>>>>>> entry. Another check is to use the kvno tool which
>>>>>>>>>> you should have when you use MIT Kerberos.
>>>>>>>>>>
>>>>>>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as
>>>>>>>>>> klist -ekt squid.keytab e.g.
>>>>>>>>>>
>>>>>>>>>> # klist -ekt /etc/squid/squid.keytab Keytab name:
>>>>>>>>>> FILE:/etc/squid/squid.keytab KVNO Timestamp Principal
>>>>>>>>>> ---- -----------------
>>>>>>>>>> --------------------------------------------------------
>>>>>>>>>> 3 11/25/08 20:54:17
>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour with
>>>>>>>>>> HMAC/md5) 3 11/25/08 20:54:17
>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple DES cbc
>>>>>>>>>> mode with HMAC/sha1) 3 11/25/08 20:54:17
>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc mode
>>>>>>>>>> with CRC-32)
>>>>>>>>>>
>>>>>>>>>> #kvno HTTP/opensuse11.suse.home
>>>>>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards Markus
>>>>>>>>>>
>>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>>> message
>>>>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi, I'm new to this. I've run the following command
>>>>>>>>>> on the server:
>>>>>>>>>>
>>>>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h
>>>>>>>>>> domainfqdn -p 389 -b "OU=name,DC=domain,DC=com"
>>>>>>>>>> "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>>>>>>
>>>>>>>>>> and get # # LDAPv3 # base <OU=name,DC=domain,DC=com>
>>>>>>>>>> with scope subtree # filter:
>>>>>>>>>> serviceprincipalname=HTTP/fqdn_at_REALM # requesting:
>>>>>>>>>> ALL #
>>>>>>>>>>
>>>>>>>>>> # search result
>>>>>>>>>>
>>>>>>>>>> # numResponses: 1
>>>>>>>>>>
>>>>>>>>>> Is it possible to check directly on AD if this
>>>>>>>>>> service principal name exits? How else can I test if
>>>>>>>>>> this keytab works? If I create a new keytab what is
>>>>>>>>>> the procedure of getting rid of the old one and
>>>>>>>>>> retesting (what should be done on AD and the linux
>>>>>>>>>> box)?
>>>>>>>>>>
>>>>>>>>>> Are there any docs that will help me with this?
>>>>>>>>>>
>>>>>>>>>> Sorry for being a pain and thanks again. Regards
>>>>>>>>>> Umesh
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>>>>>
>>>>>>>>>>> Can you check with an ldap query (e.g. with
>>>>>>>>>>> ldapadmin from sourceforge) or search with a filter
>>>>>>>>>>> "(serviceprincipalname=HTTP/fqdn_at_REALM)" if you
>>>>>>>>>>> have duplicate entries ?
>>>>>>>>>>>
>>>>>>>>>>> This kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS will only work if the
>>>>>>>>>>> userprincipal name is HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>>> which I think is not the case with ktpass.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards Markus
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in
>>>>>>>>>>> message
>>>>>>>>>>>
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to get the squid helper
>>>>>>>>>>>> squid_kerb_auth to work against our Active
>>>>>>>>>>>> Directory (win 2003 sp2).
>>>>>>>>>>>>
>>>>>>>>>>>> I've compiled the latest squid version
>>>>>>>>>>>> (squid-2.7.STABLE7)on CentOS 5.4 64 bit.
>>>>>>>>>>>>
>>>>>>>>>>>> Squid Cache: Version 2.7.STABLE7 configure
>>>>>>>>>>>> options: '--prefix=/usr/local/squid'
>>>>>>>>>>>> '--disable-wccp' '--disable-wccpv2'
>>>>>>>>>>>> '--enable-large-cache-files' '--with-large-files'
>>>>>>>>>>>> '--enable-delay-pools'
>>>>>>>>>>>> '--enable-cachemgr-hostname' '=fqdn'
>>>>>>>>>>>> '--enable-ntlm-auth-helpers=SMB'
>>>>>>>>>>>> '--enable-auth=basic,ntlm,negotiate'
>>>>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>>>>>>>>>>>> '--enable-snmp'
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> A keytab file was create on AD for squid
>>>>>>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>>>>>>
>>>>>>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>>>>>>> -pass password -out HTTP.keytab
>>>>>>>>>>>>
>>>>>>>>>>>> Transferred the file on the CentOS server and
>>>>>>>>>>>> placed it in /etc/squid/HTTP.keytab
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> kinit -k -t /etc/squid/squid.keytab
>>>>>>>>>>>> HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>>>>>
>>>>>>>>>>>> I get the error message: kinit(v5): Client not
>>>>>>>>>>>> found in Kerberos database while getting initial
>>>>>>>>>>>> credentials
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I've also tried creating the keytab file using
>>>>>>>>>>>> msktutil or samba according to the following doc:
>>>>>>>>>>>>
>>>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I get the same error.
>>>>>>>>>>>>
>>>>>>>>>>>> How do I sort out this problem?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance. Regards Umesh
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
>
Received on Thu Jan 21 2010 - 19:38:58 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 22 2010 - 12:00:04 MST