Hi friends,
I have a problem for implement kerberos authentication on my squid
server. I'm using this article of the squid wiki:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
My server is Red Hat Enterprise Linux (minimal) 6.2 (all package
updated), with the official RH squid package (3.1.10).
I launch the kinit without problems:
----------------------------------------------------------------------------------------------------
[root_at_proxy01 ~]# kinit administrator_at_MYDOMAIN
Password for administrator_at_MYDOMAIN:
[root_at_proxy01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator_at_MYDOMAIN
Valid starting Expires Service principal
02/24/12 08:46:05 02/24/12 18:46:09 krbtgt/MYDOMAIN_at_MYDOMAIN
renew until 02/25/12 08:46:05
---------------------------------------------------------------------------------------------------
The problem appear when I launch msktutil for build the keytab file:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root_at_hostname ~]# msktutil -c -b "CN=COMPUTERS" -s
HTTP/hostname.mydomain -k /etc/squid/PROXY.keytab \
--computer-name PROXY01KRB --upn HTTP/hostname.mydomain --server
dc1.mydomain --verbose
-- init_password: Wiping the computer password structure
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-XbERrw
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: PROXY01KRB$
-- try_machine_keytab_princ: Trying to authenticate for PROXY01KRB$
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Unsupported key table format version number)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/proxy01
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for PROXY01KRB$ with
password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: dc1.mydomain try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc1.mydomain try_tls=NO
SASL/GSSAPI authentication started
SASL username: administrator_at_MYDOMAIN
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 82
-- ldap_check_account: Checking that a computer account for PROXY01KRB$
exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000
-- ldap_check_account: Found default supportedEncryptionTypes = 7
-- ldap_check_account: Found dNSHostName = proxy01
-- ldap_check_account: Found User Principal: HTTP/proxy01.mydomain
-- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
userPrincipalName to HTTP/proxy01.mydomain_at_MYDOMAIN
-- ldap_set_supportedEncryptionTypes: DEE
dn=CN=PROXY01KRB,CN=Computers,DC=mydomain old=7 new=28
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
msDs-supportedEncryptionTypes to 28
-- ldap_simple_set_attr: ldap_modify_ext_s failed (No such attribute)
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 0
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for
requested realm)
Error: set_password failed
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
My /etc/krb5.conf
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
#renew_lifetime = 7d
#forwardable = true
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md
[realms]
MYDOMAIN = {
kdc = dc1.mydomain
kdc = dc2.mydomain
admin_server = dc1.mydomain
default_domain = MYDOMAIN
}
[domain_realm]
.MYDOMAIN = MYDOMAIN
MYDOMAIN = MYDOMAIN
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
All DNS stuffs all correctly configured, resolve without problem, also
the inverse pointers. The NTP sync is enabled and I forced a ntpdate
before start the process for get the time synced with the domain controller.
The really weird is that yesterday, after many test changing the
hostname, the --computer-name parameter of msktutil, all work fine and
keytab file was generated. Today, I wanted create a new keytab file with
definitive names (yesterday I has been doing some test), and problem
appear again. I don't know the cause. Yesterday, I also tried generate
the keytab using this articles, without success:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
so I don't know if some of this steps were the cause of the keytab was
generated correctly later.
I hope you can help me.
Thank you very much in advance,
Regards
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:05 MST