Search squid archive

Re: Re: squid_kerb_auth problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On AD you can use ADSIEDIT ( http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to search for entries and delete,modify them. The best instructions are http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Let me know what you get once you deleted the old entry. Another check is to use the kvno tool which you should have when you use MIT Kerberos.

#kvno HTTP/fqdn@REALM should give the same number as klist -ekt squid.keytab e.g.

# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with HMAC/md5) 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc mode with HMAC/sha1) 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode with CRC-32)

#kvno HTTP/opensuse11.suse.home
HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3


Regards
Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx
Hi,
I'm new to this. I've run the following command on the server:

ldapsearch  -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
"OU=name,DC=domain,DC=com"  "serviceprincipalname=HTTP/fqdn@REALM"

and get
#
# LDAPv3
# base <OU=name,DC=domain,DC=com> with scope subtree
# filter: serviceprincipalname=HTTP/fqdn@REALM
# requesting: ALL
#

# search result

# numResponses: 1

Is it possible to check directly on AD if this service principal name exits?
How else can I test if this keytab works?
If I create a new keytab what is the procedure of getting rid of the
old one and retesting (what should be done on AD and the linux box)?

Are there any docs that will help me with this?

Sorry for being a pain and thanks again.
Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have
duplicate entries ?

This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will only work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think is
not the case with ktpass.


Regards
Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx

Hi,

I'm trying to get the squid helper squid_kerb_auth to work against our
Active Directory (win 2003 sp2).

I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
64 bit.

Squid Cache: Version 2.7.STABLE7
configure options: '--prefix=/usr/local/squid' '--disable-wccp'
'--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
'--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
'--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'


A keytab file was create on AD for squid
(HTTP/squid.domain@xxxxxxxxxxxxxx)

ktpass -princ HTTP/fqdn@REALM -mapuser squiduser
-pass password -out HTTP.keytab

Transferred the file on the CentOS server and placed it
in /etc/squid/HTTP.keytab


kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx

I get the error message:
kinit(v5): Client not found in Kerberos database while getting initial
credentials


I've also tried creating the keytab file using
msktutil or samba according to the following doc:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

I get the same error.

How do I sort out this problem?

Thanks in advance.
Regards
Umesh







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux