Hi When I tried ./squid_kerb_auth_test proxy1 or ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Unknown code krb5 7 Token: NULL But I got a token if I used ./squid_kerb_auth_test domain.com or ./squid_kerb_auth_test adserver.domain.com Using this token and squid auth in the same directory I got squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error Using the same token on the latest compiled squid /usr/local/squid/libexec/squid_kerb_auth -d I got 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error Any ideas? Regards Umesh 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > There should be a squid_kerb_auth_test application in the same source > directory as squid_kerb_auth. > > Do a kinit user@DOMAIN and then a squid_kerb_auth_test squid-fqdn which > should give you a token like: > > Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... > > which you can the use with squid_kerb_auth like > > export KRB5_KTNAME=/path-to-squid.keytab. > ./squid_kerb_auth -d > YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... > 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR > YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775). > 2010/01/15 14:40:29| squid_kerb_auth: Decode > 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577). > AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx > 2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== > markus@xxxxxxxxx > > > Regards > Markus > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message > news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx >> >> When you use ktpass or msktutil you have to specify a different AD object >> then your samba object and remove the HTTP/... entries as service principal >> from your samba AD object. If you want to have only one AD object you have >> to use the net keytab command as described in the wiki. >> >> >> Regards >> Markus >> >> >> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >> news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx >> Hi >> Ok. Did that now and I got: >> >> kvno HTTP/proxy1.domain.com >> HTTP/proxy1@xxxxxxxxxx: kvno = 5 >> >> This number is different from the the keytab number. >> How do I correct this? >> >> Yes I did use samba (net ads join -U adminuserid). Then I tried the >> msktutil. Then finally ktpass. >> >> During the net ads join I got: >> >> # net ads join -U userid >> userid's password: >> Using short domain name -- DOMAIN >> DNS update failed! >> Joined 'PROXY1' to realm 'DOMAIN.COM' >> >> Is the DNS update a problem? >> >> Regards >> Umesh >> >> >> >> >> >> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>> >>> Sorry I forgot to say that you have to do a kinit aduser@REALM before you >>> issue the kvno command. Did you use the sambe netjoin command to create >>> the as account and the keytab ? >>> >>> Markus >>> >>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx >>> Hi Markus >>> I've checked with ADSIEDIT and found a single entry for the linux >>> server named proxy1. >>> Clicking on it's properties I found the following entries for service >>> Principal Name: >>> >>> >>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 >>> >>> >>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com >>> >>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 >>> >>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com >>> >>> On the linux box: >>> >>> # klist -ekt /etc/squid/HTTP.keytab >>> Keytab name: FILE:/etc/squid/HTTP.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- >>> -------------------------------------------------------- >>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour >>> with HMAC/md5) >>> >>> # kvno HTTP/proxy1.domain.com >>> kvno: Ticket expired while getting credentials for >>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx >>> # kvno HTTP/proxy1 >>> kvno: Ticket expired while getting credentials for >>> HTTP/proxy1@xxxxxxxxxxxxx >>> >>> Should I remove the entry on AD, rejoin the pc to AD and create the >>> keytab again? >>> Which mechanism should I use to create the keytab? >>> Is my DNS correct if the pc came up on AD as proxy1 should it be the >>> fqdn (proxy1.domain.com)? >>> >>> Regards >>> Umesh >>> >>> >>> >>> >>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>> >>>> On AD you can use ADSIEDIT ( >>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to >>>> search for entries and delete,modify them. The best instructions are >>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>> >>>> Let me know what you get once you deleted the old entry. Another check >>>> is >>>> to use the kvno tool which you should have when you use MIT Kerberos. >>>> >>>> #kvno HTTP/fqdn@REALM should give the same number as klist -ekt >>>> squid.keytab >>>> e.g. >>>> >>>> # klist -ekt /etc/squid/squid.keytab >>>> Keytab name: FILE:/etc/squid/squid.keytab >>>> KVNO Timestamp Principal >>>> ---- ----------------- >>>> -------------------------------------------------------- >>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with >>>> HMAC/md5) >>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc >>>> mode with HMAC/sha1) >>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode >>>> with >>>> CRC-32) >>>> >>>> #kvno HTTP/opensuse11.suse.home >>>> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >>>> >>>> >>>> Regards >>>> Markus >>>> >>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >>>> Hi, >>>> I'm new to this. I've run the following command on the server: >>>> >>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b >>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" >>>> >>>> and get >>>> # >>>> # LDAPv3 >>>> # base <OU=name,DC=domain,DC=com> with scope subtree >>>> # filter: serviceprincipalname=HTTP/fqdn@REALM >>>> # requesting: ALL >>>> # >>>> >>>> # search result >>>> >>>> # numResponses: 1 >>>> >>>> Is it possible to check directly on AD if this service principal name >>>> exits? >>>> How else can I test if this keytab works? >>>> If I create a new keytab what is the procedure of getting rid of the >>>> old one and retesting (what should be done on AD and the linux box)? >>>> >>>> Are there any docs that will help me with this? >>>> >>>> Sorry for being a pain and thanks again. >>>> Regards >>>> Umesh >>>> >>>> >>>> >>>> >>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>> >>>>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) >>>>> or >>>>> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you >>>>> have >>>>> duplicate entries ? >>>>> >>>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will >>>>> only >>>>> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I >>>>> think >>>>> is >>>>> not the case with ktpass. >>>>> >>>>> >>>>> Regards >>>>> Markus >>>>> >>>>> >>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>>>> >>>>>> Hi, >>>>>> >>>>>> I'm trying to get the squid helper squid_kerb_auth to work against our >>>>>> Active Directory (win 2003 sp2). >>>>>> >>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS >>>>>> 5.4 >>>>>> 64 bit. >>>>>> >>>>>> Squid Cache: Version 2.7.STABLE7 >>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>>>>> >>>>>> >>>>>> A keytab file was create on AD for squid >>>>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>>>> >>>>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>>>> -pass password -out HTTP.keytab >>>>>> >>>>>> Transferred the file on the CentOS server and placed it >>>>>> in /etc/squid/HTTP.keytab >>>>>> >>>>>> >>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx >>>>>> >>>>>> I get the error message: >>>>>> kinit(v5): Client not found in Kerberos database while getting initial >>>>>> credentials >>>>>> >>>>>> >>>>>> I've also tried creating the keytab file using >>>>>> msktutil or samba according to the following doc: >>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>> >>>>>> I get the same error. >>>>>> >>>>>> How do I sort out this problem? >>>>>> >>>>>> Thanks in advance. >>>>>> Regards >>>>>> Umesh >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > >
