Re: [squid-users] Active Directory and user agents - complete ISA replacement

From: George Machitidze <giomac_at_gmail.com>
Date: Thu, 12 Jan 2012 16:29:47 +0400

Nevermind - my fault

On Redhat winbind is running with root and owner of file is root:root,
i've changed it to squid.

Best regards,
George Machitidze

On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze <giomac_at_gmail.com> wrote:
> Here are first issues:
>
> [root_at_proxy ~]# kdestroy
>
> <NOW RESET DONE FOR HOST squid-k IN AD>
>
> [root_at_proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
>  -- init_password: Wiping the computer password structure
>  -- get_dc_host: Attempting to find a Domain Controller to use
>  -- get_dc_host: Found Domain Controller: TEST-admsdc02
>  -- get_default_keytab: Obtaining the default keytab name:
> /etc/squid/HTTP.keytab
>  -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-iN2kxe
>  -- reload: Reloading Kerberos Context
>  -- finalize_exec: SAM Account Name is: squid-k$
>  -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
> local keytab...
>  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
>  -- try_machine_keytab_princ: Authentication with keytab failed
>  -- try_machine_keytab_princ: Trying to authenticate for host/proxy
> from local keytab...
>  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
>  -- try_machine_keytab_princ: Authentication with keytab failed
>  -- try_machine_password: Trying to authenticate for squid-k$ with password.
>  -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
>  -- try_machine_password: Authentication with password failed
>  -- try_user_creds: Checking if default ticket cache has tickets...
>  -- try_user_creds: Error: krb5_cc_get_principal failed (No
> credentials cache found)
>  -- try_user_creds: User ticket cache was not valid.
> Error: could not find any credentials to authenticate with. Neither keytab,
>     default machine password, nor calling user's tickets worked. Try
>     "kinit"ing yourself some tickets with permission to create computer
>     objects, or pre-creating the computer object in AD and selecting
>     'reset account'.
>  -- ~KRB5Context: Destroying Kerberos Context
>
> [root_at_proxy ~]# cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = TEST.GE
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
>  default_keytab_name = /etc/squid/HTTP.keytab
>  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>  permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> [realms]
>  TEST.GE = {
>  kdc = TEST-admsdc01.test.ge
>  kdc = TEST-admsdc01.test.ge
>  admin_server = TEST-admsdc01.test.ge
>  default_domain = test.ge
>  }
>
> [domain_realm]
>  test.ge = TEST.GE
>  .test.ge = TEST.GE
>
> [appdefaults]
>  pam = {
>   debug = true
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
>  }
>
> Where can I find the reason?
>
> Best regards,
> George Machitidze
>
>
>
> On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze <giomac_at_gmail.com> wrote:
>> Hello James
>>
>> Great job! Thanks for reply
>>
>> I will check and update with tests :)
>>
>> Best regards,
>> George Machitidze
>>
>>
>>
>> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson <j_at_mesrobertson.com> wrote:
>>>> When I try to use Opera browser I am getting ugly message after
>>>> entering credentials:
>>>>
>>>> authenticateNegotiateHandleReply: Error validating user via Negotiate.
>>>> Error returned 'BH received type 1 NTLM token'
>>>
>>> Opera  does not support Kerberos as far as I know.  You will still
>>> need to support NTLM. you will have issues with iTunes and possibly
>>> various other apps as that need NTLM support.
>>>
>>>> Is there any "universal", well tested configuration/manual that will
>>>> make all clients work?
>>>
>>> I just completed a guide based on Debian that supports Kerberos, NTLM
>>> and basic auth and was planning on updating the Squid Wiki also
>>> sometime soon.  You should be able to translate that to your RH.
>>>
>>> HTH.
>>>
>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Received on Thu Jan 12 2012 - 12:30:15 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 12 2012 - 12:00:02 MST