On AD you can use ADSIEDIT (
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
search for entries and delete,modify them. The best instructions are
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Let me know what you get once you deleted the old entry. Another check is
to use the kvno tool which you should have when you use MIT Kerberos.
#kvno HTTP/fqdn@REALM should give the same number as klist -ekt squid.keytab
e.g.
# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with
HMAC/md5)
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc
mode with HMAC/sha1)
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode
with CRC-32)
#kvno HTTP/opensuse11.suse.home
HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3
Regards
Markus
"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx
Hi,
I'm new to this. I've run the following command on the server:
ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
"OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM"
and get
#
# LDAPv3
# base <OU=name,DC=domain,DC=com> with scope subtree
# filter: serviceprincipalname=HTTP/fqdn@REALM
# requesting: ALL
#
# search result
# numResponses: 1
Is it possible to check directly on AD if this service principal name exits?
How else can I test if this keytab works?
If I create a new keytab what is the procedure of getting rid of the
old one and retesting (what should be done on AD and the linux box)?
Are there any docs that will help me with this?
Sorry for being a pain and thanks again.
Regards
Umesh
2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have
duplicate entries ?
This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will
only
work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think
is
not the case with ktpass.
Regards
Markus
"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx
Hi,
I'm trying to get the squid helper squid_kerb_auth to work against our
Active Directory (win 2003 sp2).
I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
64 bit.
Squid Cache: Version 2.7.STABLE7
configure options: '--prefix=/usr/local/squid' '--disable-wccp'
'--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
'--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
'--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
A keytab file was create on AD for squid
(HTTP/squid.domain@xxxxxxxxxxxxxx)
ktpass -princ HTTP/fqdn@REALM -mapuser squiduser
-pass password -out HTTP.keytab
Transferred the file on the CentOS server and placed it
in /etc/squid/HTTP.keytab
kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx
I get the error message:
kinit(v5): Client not found in Kerberos database while getting initial
credentials
I've also tried creating the keytab file using
msktutil or samba according to the following doc:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
I get the same error.
How do I sort out this problem?
Thanks in advance.
Regards
Umesh
