----- Original Message -----
From: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: "Squid maillist" <squid-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, June 03, 2009 7:39 PM
Subject: Re: Re: Squid + Kerberos + Active Directory
Dear Markus,
Really thanks for your suggestions... i didnt understand few of them...
anyway the following is my reply to your queries... kindly assist me to
keep the things up and running...
FQDN --> linuxproxy.panasonic.com
HOSTNAME --> linuxproxy
[root@linuxproxy ~]# klist -kt
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
4 06/02/09 18:05:36 HTTP/linuxproxy.panasonic.com@xxxxxxxxxxxxx
4 06/02/09 18:05:36 HTTP/linuxproxy.panasonic.com@xxxxxxxxxxxxx
4 06/02/09 18:05:36 HTTP/linuxproxy.panasonic.com@xxxxxxxxxxxxx
3 06/02/09 18:05:23 HTTP/linuxproxy.panasonic.com@xxxxxxxxxxxxx
3 06/02/09 18:05:23 HTTP/linuxproxy.panasonic.com@xxxxxxxxxxxxx
3 06/02/09 18:05:23 HTTP/linuxproxy.panasonic.com@xxxxxxxxxxxxx
[root@linuxproxy ~]#
Does you startup script set the KRB5_KTNAME environment variable ?
[root@linuxproxy ~]# head -23 /etc/rc.d/init.d/squid
#!/bin/bash
### BEGIN INIT INFO
# Provides: squid
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the
\
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
### END INIT INFO
KRB5_KTNAME=/etc/squid/HTTP.keytab
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH KRB5_KTNAME
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
[root@linuxproxy ~]#
Can you do a successful kinit -k squid.keytab HTTP/hostname ? (i didnt
understand how to issue this command, any way i tried the followig);
[root@linuxproxy ~]# ls /etc/squid/HTTP.keytab (i am using HTTP.keytab
file name, i think u mentioned squid.keytab, am i right?)
/etc/squid/HTTP.keytab
[root@linuxproxy ~]#
[root@linuxproxy ~]# kinit -k HTTP.keytab HTTP/linuxproxy
Sorry I forgot the -t. It should have been:
kinit -k -t HTTP.keytab HTTP/linuxproxy.panasonic.com
This is to proof that the keytab entry is valid.
Extra arguments (starting with "HTTP/linuxproxy").
Usage: kinit [-5] [-4] [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] [-a | -A]
[-v] [-R] [-k [-t keytab_file]]
[-c cachename] [-S service_name] [principal]
options: valid with Kerberos:
-5 Kerberos 5 (available)
-4 Kerberos 4 (available)
(Default behavior is to try Kerberos 5)
-V verbose Either 4 or 5
-l lifetime Either 4 or 5
-s start time 5
-r renewable lifetime 5
-f forwardable 5
-F not forwardable 5
-p proxiable 5
-P not proxiable 5
-a include addresses 5
-A do not include addresses 5
-v validate 5
-R renew 5, or both 5 and 4
-k use keytab 5, or both 5 and 4
-t filename of keytab to use 5, or both 5 and 4
-c Kerberos 5 cache name 5
-S service 5, or both 5 and 4
[root@linuxproxy ~]#
Can you add a -d to squid_kerb_auth and send me the output ?
where i want add this -d ? you mean in the squid.conf? if so, from where i
will get the output? in stdout? or in any of the log message? please
clarify...
Yes in the squid.conf (e.g. auth_param negotiate program
/usr/lib/squid/squid_kerb_auth -d
The output goes to cache.log
Did you use the fqdn in IE to point to squid ?
i tried FQDN after your mail, but the same resut. Cache Access Denied!!!
before i had given the IP, and the result is same. (i am eager to know,
this will not work, if i am specifying IP? or is it a mandatory that i
should specify the fqdn?
I remember IE needed the fqdn.
The command which i used to create the computer account in the active
directory from the squid proxy machine;
msktutil -c -b "OU=Servers" -s HTTP/linuxproxy.panasonic.com -h
linuxproxy -k /etc/squid/HTTP.keytab --computer-name SQUIDPROXY --upn
HTTP/linuxproxy.panasonic.com --server pana001.panasonic.com --verbose
where my hostname = linuxproxy
fqdn = linuxproxy.panasonic.com (resolvable in DNS)
SAM client name specified = Squidproxy
Actice Directory Server (DC) = pana001.panasonic.com (resolvable in DNS)
Here is my krb5.conf;
[root@linuxproxy ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = PANASONIC.COM
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/squid/HTTP.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
PANASONIC.COM = {
kdc = pana001.panasonic.com
admin_server = pana001.panasonic.com
}
[domain_realm]
.panasonic..com = PANASONIC.COM
panasonic.com = PANASONIC.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
-
--
---
Always try to find truth!!!
--- On Tue, 6/2/09, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Can you send me the squid_kerb_auth debug output from cache.log ?
Markus
