Search squid archive

Re: Re: Re: Re: squid_kerb_auth problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There should be a squid_kerb_auth_test application in the same source directory as squid_kerb_auth.

Do a kinit user@DOMAIN and then a squid_kerb_auth_test squid-fqdn which should give you a token like:

Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......

which you can the use with squid_kerb_auth like

export KRB5_KTNAME=/path-to-squid.keytab.
./squid_kerb_auth -d
YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
2010/01/15 14:40:29| squid_kerb_auth: Got 'YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx
2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx


Regards
Markus

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx
When you use ktpass or msktutil you have to specify a different AD object then your samba object and remove the HTTP/... entries as service principal from your samba AD object. If you want to have only one AD object you have to use the net keytab command as described in the wiki.


Regards
Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx
Hi
Ok. Did that now and I got:

kvno HTTP/proxy1.domain.com
HTTP/proxy1@xxxxxxxxxx: kvno = 5

This number is different from the the keytab number.
How do I correct this?

Yes I did use samba (net ads join -U adminuserid). Then I tried the
msktutil. Then finally ktpass.

During the net ads join I got:

# net ads join -U userid
userid's password:
Using short domain name -- DOMAIN
DNS update failed!
Joined 'PROXY1' to realm 'DOMAIN.COM'

Is the DNS update a problem?

Regards
Umesh





2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Sorry I forgot to say that you have to do a kinit aduser@REALM before you
issue the kvno command. Did you use the sambe netjoin command to create
the as account and the keytab ?

Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx
Hi Markus
I've checked with ADSIEDIT and found a single entry for the linux
server named proxy1.
Clicking on it's properties I found the following entries for service
Principal Name:

28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1

28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com

On the linux box:

# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour
with HMAC/md5)

# kvno HTTP/proxy1.domain.com
kvno: Ticket expired while getting credentials for
HTTP/proxy1.domain.com@xxxxxxxxxxxxx
# kvno HTTP/proxy1
kvno: Ticket expired while getting credentials for HTTP/proxy1@xxxxxxxxxxxxx

Should I remove the entry on AD, rejoin the pc to AD and create the
keytab again?
Which mechanism should I use to create the keytab?
Is my DNS correct if the pc came up on AD as proxy1 should it be the
fqdn (proxy1.domain.com)?

Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

On AD you can use ADSIEDIT (
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
search for entries and delete,modify them. The best instructions are
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Let me know what you get once you deleted the old entry. Another check is
to use the kvno tool which you should have when you use MIT Kerberos.

#kvno HTTP/fqdn@REALM should give the same number as klist -ekt
squid.keytab
e.g.

# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with
HMAC/md5)
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc
mode with HMAC/sha1)
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode with
CRC-32)

#kvno HTTP/opensuse11.suse.home
HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3


Regards
Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx
Hi,
I'm new to this. I've run the following command on the server:

ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
"OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM"

and get
#
# LDAPv3
# base <OU=name,DC=domain,DC=com> with scope subtree
# filter: serviceprincipalname=HTTP/fqdn@REALM
# requesting: ALL
#

# search result

# numResponses: 1

Is it possible to check directly on AD if this service principal name
exits?
How else can I test if this keytab works?
If I create a new keytab what is the procedure of getting rid of the
old one and retesting (what should be done on AD and the linux box)?

Are there any docs that will help me with this?

Sorry for being a pain and thanks again.
Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Can you check with an ldap query (e.g. with ldapadmin from sourceforge)
or
search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have
duplicate entries ?

This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will
only
work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think
is
not the case with ktpass.


Regards
Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx

Hi,

I'm trying to get the squid helper squid_kerb_auth to work against our
Active Directory (win 2003 sp2).

I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4
64 bit.

Squid Cache: Version 2.7.STABLE7
configure options: '--prefix=/usr/local/squid' '--disable-wccp'
'--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
'--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
'--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'


A keytab file was create on AD for squid
(HTTP/squid.domain@xxxxxxxxxxxxxx)

ktpass -princ HTTP/fqdn@REALM -mapuser squiduser
-pass password -out HTTP.keytab

Transferred the file on the CentOS server and placed it
in /etc/squid/HTTP.keytab


kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx

I get the error message:
kinit(v5): Client not found in Kerberos database while getting initial
credentials


I've also tried creating the keytab file using
msktutil or samba according to the following doc:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

I get the same error.

How do I sort out this problem?

Thanks in advance.
Regards
Umesh
















[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux