Hi Markus I've checked with ADSIEDIT and found a single entry for the linux server named proxy1. Clicking on it's properties I found the following entries for service Principal Name: 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com On the linux box: # klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour with HMAC/md5) # kvno HTTP/proxy1.domain.com kvno: Ticket expired while getting credentials for HTTP/proxy1.domain.com@xxxxxxxxxxxxx # kvno HTTP/proxy1 kvno: Ticket expired while getting credentials for HTTP/proxy1@xxxxxxxxxxxxx Should I remove the entry on AD, rejoin the pc to AD and create the keytab again? Which mechanism should I use to create the keytab? Is my DNS correct if the pc came up on AD as proxy1 should it be the fqdn (proxy1.domain.com)? Regards Umesh 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > On AD you can use ADSIEDIT ( > http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to > search for entries and delete,modify them. The best instructions are > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > Let me know what you get once you deleted the old entry. Another check is > to use the kvno tool which you should have when you use MIT Kerberos. > > #kvno HTTP/fqdn@REALM should give the same number as klist -ekt squid.keytab > e.g. > > # klist -ekt /etc/squid/squid.keytab > Keytab name: FILE:/etc/squid/squid.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with > HMAC/md5) > 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc > mode with HMAC/sha1) > 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode with > CRC-32) > > #kvno HTTP/opensuse11.suse.home > HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 > > > Regards > Markus > > "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message > news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx > Hi, > I'm new to this. I've run the following command on the server: > > ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b > "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" > > and get > # > # LDAPv3 > # base <OU=name,DC=domain,DC=com> with scope subtree > # filter: serviceprincipalname=HTTP/fqdn@REALM > # requesting: ALL > # > > # search result > > # numResponses: 1 > > Is it possible to check directly on AD if this service principal name exits? > How else can I test if this keytab works? > If I create a new keytab what is the procedure of getting rid of the > old one and retesting (what should be done on AD and the linux box)? > > Are there any docs that will help me with this? > > Sorry for being a pain and thanks again. > Regards > Umesh > > > > > 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >> >> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or >> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have >> duplicate entries ? >> >> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will >> only >> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think >> is >> not the case with ktpass. >> >> >> Regards >> Markus >> >> >> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>> >>> Hi, >>> >>> I'm trying to get the squid helper squid_kerb_auth to work against our >>> Active Directory (win 2003 sp2). >>> >>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4 >>> 64 bit. >>> >>> Squid Cache: Version 2.7.STABLE7 >>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>> >>> >>> A keytab file was create on AD for squid >>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>> >>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>> -pass password -out HTTP.keytab >>> >>> Transferred the file on the CentOS server and placed it >>> in /etc/squid/HTTP.keytab >>> >>> >>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx >>> >>> I get the error message: >>> kinit(v5): Client not found in Kerberos database while getting initial >>> credentials >>> >>> >>> I've also tried creating the keytab file using >>> msktutil or samba according to the following doc: >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>> >>> I get the same error. >>> >>> How do I sort out this problem? >>> >>> Thanks in advance. >>> Regards >>> Umesh >>> >> >> >> > > >
