[squid-users] Re: squid_kerb_ldap question

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 19 Jan 2011 23:59:14 -0000

For squid_kerb_ldap to work the AD entry must have a userprincipalname
attribute set to one of the keytab entry names e.g.
HTTP/ubuntu.pfsee.net_at_PFSEE.NET
. This is one of the differences of msktutil with --upn to net ads join.

Markus

----- Original Message -----
From: "Rafal Zawierta" <zawierta_at_gmail.com>
To: <huaraz_at_moeller.plus.com>
Sent: Wednesday, January 19, 2011 11:39 PM
Subject: squid_kerb_ldap question

> Hello Markus!
>
> If you don't mind I'd like to ask you for help with my squid_kerb_ldap
> problem.
> After 2 long days I have squid_kerb_auth working.
>
> I have ubuntu host, which was joined AD by net join command AND
> krb5.keytab also was created in such way.
>
> Now, when I start my squid with kerb_ldap helper I get:
> 2011/01/20 00:20:14| squid_kerb_ldap: Error while initialising
> credentials from keytab : Client not found in Kerberos database
> 2011/01/20 00:20:14| squid_kerb_ldap: Error during setup of Kerberos
> credential cache
>
> AFAIK the problem is with my keytab - I'm right? Is it possible to fix
> it whithout running msktutil? Or the only good way is to delete (?) my
> keytab and create a new one with msktutil with --upn option?
>
> ktutil on proxy server shows me:
> ktutil: rkt /etc/squid/HTTP.keytab
> ktutil: l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 host/ubuntu.pfsee.net_at_PFSEE.NET
> 2 2 host/ubuntu.pfsee.net_at_PFSEE.NET
> 3 2 host/ubuntu.pfsee.net_at_PFSEE.NET
> 4 2 host/ubuntu_at_PFSEE.NET
> 5 2 host/ubuntu_at_PFSEE.NET
> 6 2 host/ubuntu_at_PFSEE.NET
> 7 2 UBUNTU$@PFSEE.NET
> 8 2 UBUNTU$@PFSEE.NET
> 9 2 UBUNTU$@PFSEE.NET
> 10 2 HTTP/ubuntu.pfsee.net_at_PFSEE.NET
> 11 2 HTTP/ubuntu.pfsee.net_at_PFSEE.NET
> 12 2 HTTP/ubuntu.pfsee.net_at_PFSEE.NET
> 13 2 HTTP/ubuntu_at_PFSEE.NET
> 14 2 HTTP/ubuntu_at_PFSEE.NET
> 15 2 HTTP/ubuntu_at_PFSEE.NET
>
> But on AD server in AD users and computers there is NO http or
> whatever entry in Users. Just ubuntu in Computers.
>
> Regards
> Rafal
>
>
Received on Wed Jan 19 2011 - 23:59:37 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 20 2011 - 12:00:03 MST