Hi Ok used net ads keytab again and got the KVNO numbers to match when I used klist -ekt and kvno. I tried to use squid_kerb_auth_test and got the following: # ./squid_kerb_auth_test proxy1 2010/01/15 15:34:48| squid_kerb_auth_test: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Unknown code krb5 7 Token: NULL What does this mean? How can I test squid_kerb_auth? Regards Umesh 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > When you use ktpass or msktutil you have to specify a different AD object > then your samba object and remove the HTTP/... entries as service principal > from your samba AD object. If you want to have only one AD object you have > to use the net keytab command as described in the wiki. > > > Regards > Markus > > > "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message > news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx > Hi > Ok. Did that now and I got: > > kvno HTTP/proxy1.domain.com > HTTP/proxy1@xxxxxxxxxx: kvno = 5 > > This number is different from the the keytab number. > How do I correct this? > > Yes I did use samba (net ads join -U adminuserid). Then I tried the > msktutil. Then finally ktpass. > > During the net ads join I got: > > # net ads join -U userid > userid's password: > Using short domain name -- DOMAIN > DNS update failed! > Joined 'PROXY1' to realm 'DOMAIN.COM' > > Is the DNS update a problem? > > Regards > Umesh > > > > > > 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >> >> Sorry I forgot to say that you have to do a kinit aduser@REALM before you >> issue the kvno command. Did you use the sambe netjoin command to create >> the as account and the keytab ? >> >> Markus >> >> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx >> Hi Markus >> I've checked with ADSIEDIT and found a single entry for the linux >> server named proxy1. >> Clicking on it's properties I found the following entries for service >> Principal Name: >> >> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 >> >> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com >> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 >> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com >> >> On the linux box: >> >> # klist -ekt /etc/squid/HTTP.keytab >> Keytab name: FILE:/etc/squid/HTTP.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour >> with HMAC/md5) >> >> # kvno HTTP/proxy1.domain.com >> kvno: Ticket expired while getting credentials for >> HTTP/proxy1.domain.com@xxxxxxxxxxxxx >> # kvno HTTP/proxy1 >> kvno: Ticket expired while getting credentials for >> HTTP/proxy1@xxxxxxxxxxxxx >> >> Should I remove the entry on AD, rejoin the pc to AD and create the >> keytab again? >> Which mechanism should I use to create the keytab? >> Is my DNS correct if the pc came up on AD as proxy1 should it be the >> fqdn (proxy1.domain.com)? >> >> Regards >> Umesh >> >> >> >> >> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>> >>> On AD you can use ADSIEDIT ( >>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to >>> search for entries and delete,modify them. The best instructions are >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>> >>> Let me know what you get once you deleted the old entry. Another check is >>> to use the kvno tool which you should have when you use MIT Kerberos. >>> >>> #kvno HTTP/fqdn@REALM should give the same number as klist -ekt >>> squid.keytab >>> e.g. >>> >>> # klist -ekt /etc/squid/squid.keytab >>> Keytab name: FILE:/etc/squid/squid.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- >>> -------------------------------------------------------- >>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with >>> HMAC/md5) >>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc >>> mode with HMAC/sha1) >>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode >>> with >>> CRC-32) >>> >>> #kvno HTTP/opensuse11.suse.home >>> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >>> >>> >>> Regards >>> Markus >>> >>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >>> Hi, >>> I'm new to this. I've run the following command on the server: >>> >>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b >>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" >>> >>> and get >>> # >>> # LDAPv3 >>> # base <OU=name,DC=domain,DC=com> with scope subtree >>> # filter: serviceprincipalname=HTTP/fqdn@REALM >>> # requesting: ALL >>> # >>> >>> # search result >>> >>> # numResponses: 1 >>> >>> Is it possible to check directly on AD if this service principal name >>> exits? >>> How else can I test if this keytab works? >>> If I create a new keytab what is the procedure of getting rid of the >>> old one and retesting (what should be done on AD and the linux box)? >>> >>> Are there any docs that will help me with this? >>> >>> Sorry for being a pain and thanks again. >>> Regards >>> Umesh >>> >>> >>> >>> >>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>> >>>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) >>>> or >>>> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you >>>> have >>>> duplicate entries ? >>>> >>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will >>>> only >>>> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think >>>> is >>>> not the case with ktpass. >>>> >>>> >>>> Regards >>>> Markus >>>> >>>> >>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>>> >>>>> Hi, >>>>> >>>>> I'm trying to get the squid helper squid_kerb_auth to work against our >>>>> Active Directory (win 2003 sp2). >>>>> >>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4 >>>>> 64 bit. >>>>> >>>>> Squid Cache: Version 2.7.STABLE7 >>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>>>> >>>>> >>>>> A keytab file was create on AD for squid >>>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>>> >>>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>>> -pass password -out HTTP.keytab >>>>> >>>>> Transferred the file on the CentOS server and placed it >>>>> in /etc/squid/HTTP.keytab >>>>> >>>>> >>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx >>>>> >>>>> I get the error message: >>>>> kinit(v5): Client not found in Kerberos database while getting initial >>>>> credentials >>>>> >>>>> >>>>> I've also tried creating the keytab file using >>>>> msktutil or samba according to the following doc: >>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>> >>>>> I get the same error. >>>>> >>>>> How do I sort out this problem? >>>>> >>>>> Thanks in advance. >>>>> Regards >>>>> Umesh >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > >
