Search squid archive

Re: Re: Re: squid_kerb_auth problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Markus
I've checked with ADSIEDIT and found a single entry for the linux
server named proxy1.
Clicking on it's properties I found the following entries for service
Principal Name:

28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1

28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com

On the linux box:

# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour
with HMAC/md5)

# kvno HTTP/proxy1.domain.com
kvno: Ticket expired while getting credentials for
HTTP/proxy1.domain.com@xxxxxxxxxxxxx
# kvno HTTP/proxy1
kvno: Ticket expired while getting credentials for HTTP/proxy1@xxxxxxxxxxxxx

Should I remove the entry on AD, rejoin the pc to AD and create the
keytab again?
Which mechanism should I use to create the keytab?
Is my DNS correct if the pc came up on AD as proxy1 should it be the
fqdn (proxy1.domain.com)?

Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
> On AD you can use ADSIEDIT (
> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
> search for entries and delete,modify them.  The best instructions are
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Let me know what you get once you deleted the old entry.  Another check is
> to use the kvno tool which you should have when you use MIT Kerberos.
>
> #kvno HTTP/fqdn@REALM should give the same number as klist -ekt squid.keytab
> e.g.
>
> # klist -ekt /etc/squid/squid.keytab
> Keytab name: FILE:/etc/squid/squid.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>  3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with
> HMAC/md5)
>  3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc
> mode with HMAC/sha1)
>  3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode with
> CRC-32)
>
> #kvno HTTP/opensuse11.suse.home
> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3
>
>
> Regards
> Markus
>
> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx
> Hi,
> I'm new to this. I've run the following command on the server:
>
> ldapsearch  -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
> "OU=name,DC=domain,DC=com"  "serviceprincipalname=HTTP/fqdn@REALM"
>
> and get
> #
> # LDAPv3
> # base <OU=name,DC=domain,DC=com> with scope subtree
> # filter: serviceprincipalname=HTTP/fqdn@REALM
> # requesting: ALL
> #
>
> # search result
>
> # numResponses: 1
>
> Is it possible to check directly on AD if this service principal name exits?
> How else can I test if this keytab works?
> If I create a new keytab what is the procedure of getting rid of the
> old one and retesting (what should be done on AD and the linux box)?
>
> Are there any docs that will help me with this?
>
> Sorry for being a pain and thanks again.
> Regards
> Umesh
>
>
>
>
> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
>>
>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
>> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have
>> duplicate entries ?
>>
>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will
>> only
>> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think
>> is
>> not the case with ktpass.
>>
>>
>> Regards
>> Markus
>>
>>
>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx
>>>
>>> Hi,
>>>
>>> I'm trying to get the squid helper squid_kerb_auth to work against our
>>> Active Directory (win 2003 sp2).
>>>
>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
>>> 64 bit.
>>>
>>> Squid Cache: Version 2.7.STABLE7
>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>
>>>
>>> A keytab file was create on AD for squid
>>> (HTTP/squid.domain@xxxxxxxxxxxxxx)
>>>
>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser
>>> -pass password -out HTTP.keytab
>>>
>>> Transferred the file on the CentOS server and placed it
>>> in /etc/squid/HTTP.keytab
>>>
>>>
>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx
>>>
>>> I get the error message:
>>> kinit(v5): Client not found in Kerberos database while getting initial
>>> credentials
>>>
>>>
>>> I've also tried creating the keytab file using
>>> msktutil or samba according to the following doc:
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>
>>> I get the same error.
>>>
>>> How do I sort out this problem?
>>>
>>> Thanks in advance.
>>> Regards
>>> Umesh
>>>
>>
>>
>>
>
>
>


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux