Hi Ok. Did that now and I got: kvno HTTP/proxy1.domain.com HTTP/proxy1@xxxxxxxxxx: kvno = 5 This number is different from the the keytab number. How do I correct this? Yes I did use samba (net ads join -U adminuserid). Then I tried the msktutil. Then finally ktpass. During the net ads join I got: # net ads join -U userid userid's password: Using short domain name -- DOMAIN DNS update failed! Joined 'PROXY1' to realm 'DOMAIN.COM' Is the DNS update a problem? Regards Umesh 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Sorry I forgot to say that you have to do a kinit aduser@REALM before you > issue the kvno command. Did you use the sambe netjoin command to create > the as account and the keytab ? > > Markus > > "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message > news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx > Hi Markus > I've checked with ADSIEDIT and found a single entry for the linux > server named proxy1. > Clicking on it's properties I found the following entries for service > Principal Name: > > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 > > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com > > On the linux box: > > # klist -ekt /etc/squid/HTTP.keytab > Keytab name: FILE:/etc/squid/HTTP.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour > with HMAC/md5) > > # kvno HTTP/proxy1.domain.com > kvno: Ticket expired while getting credentials for > HTTP/proxy1.domain.com@xxxxxxxxxxxxx > # kvno HTTP/proxy1 > kvno: Ticket expired while getting credentials for HTTP/proxy1@xxxxxxxxxxxxx > > Should I remove the entry on AD, rejoin the pc to AD and create the > keytab again? > Which mechanism should I use to create the keytab? > Is my DNS correct if the pc came up on AD as proxy1 should it be the > fqdn (proxy1.domain.com)? > > Regards > Umesh > > > > > 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >> >> On AD you can use ADSIEDIT ( >> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to >> search for entries and delete,modify them. The best instructions are >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >> >> Let me know what you get once you deleted the old entry. Another check is >> to use the kvno tool which you should have when you use MIT Kerberos. >> >> #kvno HTTP/fqdn@REALM should give the same number as klist -ekt >> squid.keytab >> e.g. >> >> # klist -ekt /etc/squid/squid.keytab >> Keytab name: FILE:/etc/squid/squid.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with >> HMAC/md5) >> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc >> mode with HMAC/sha1) >> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode with >> CRC-32) >> >> #kvno HTTP/opensuse11.suse.home >> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >> >> >> Regards >> Markus >> >> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >> Hi, >> I'm new to this. I've run the following command on the server: >> >> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b >> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" >> >> and get >> # >> # LDAPv3 >> # base <OU=name,DC=domain,DC=com> with scope subtree >> # filter: serviceprincipalname=HTTP/fqdn@REALM >> # requesting: ALL >> # >> >> # search result >> >> # numResponses: 1 >> >> Is it possible to check directly on AD if this service principal name >> exits? >> How else can I test if this keytab works? >> If I create a new keytab what is the procedure of getting rid of the >> old one and retesting (what should be done on AD and the linux box)? >> >> Are there any docs that will help me with this? >> >> Sorry for being a pain and thanks again. >> Regards >> Umesh >> >> >> >> >> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>> >>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) >>> or >>> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have >>> duplicate entries ? >>> >>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will >>> only >>> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think >>> is >>> not the case with ktpass. >>> >>> >>> Regards >>> Markus >>> >>> >>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>> >>>> Hi, >>>> >>>> I'm trying to get the squid helper squid_kerb_auth to work against our >>>> Active Directory (win 2003 sp2). >>>> >>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4 >>>> 64 bit. >>>> >>>> Squid Cache: Version 2.7.STABLE7 >>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>>> >>>> >>>> A keytab file was create on AD for squid >>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>> >>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>> -pass password -out HTTP.keytab >>>> >>>> Transferred the file on the CentOS server and placed it >>>> in /etc/squid/HTTP.keytab >>>> >>>> >>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx >>>> >>>> I get the error message: >>>> kinit(v5): Client not found in Kerberos database while getting initial >>>> credentials >>>> >>>> >>>> I've also tried creating the keytab file using >>>> msktutil or samba according to the following doc: >>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>> >>>> I get the same error. >>>> >>>> How do I sort out this problem? >>>> >>>> Thanks in advance. >>>> Regards >>>> Umesh >>>> >>> >>> >>> >> >> >> > > >
