Hi Using squid_kerb_auth-1.0.5 for the testing. For the /usr/local/squid/libexec/squid_kerb_auth used the compile version from squid-2.7.STABLE7. Regards Umesh 2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > BTW Which squid_kerb_auth version do you use ? > > Markus > > "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message > news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx > Hi > > When I tried > ./squid_kerb_auth_test proxy1 > or > ./squid_kerb_auth_test proxy1.domain.com > I got > 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context() > failed: Unspecified GSS failure. Minor code may provide more > information. Unknown code krb5 7 > Token: NULL > > But I got a token if I used > ./squid_kerb_auth_test domain.com > or > ./squid_kerb_auth_test adserver.domain.com > > Using this token and squid auth in the same directory I got > > squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information. No error > BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor > code may provide more information. No error > > Using the same token on the latest compiled squid > /usr/local/squid/libexec/squid_kerb_auth -d > I got > > 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with rc=102 > 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. No > error > NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor > code may provide more information. No error > > Any ideas? > Regards > Umesh > > > > 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >> >> There should be a squid_kerb_auth_test application in the same source >> directory as squid_kerb_auth. >> >> Do a kinit user@DOMAIN and then a squid_kerb_auth_test squid-fqdn which >> should give you a token like: >> >> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >> >> which you can the use with squid_kerb_auth like >> >> export KRB5_KTNAME=/path-to-squid.keytab. >> ./squid_kerb_auth -d >> YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR >> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775). >> 2010/01/15 14:40:29| squid_kerb_auth: Decode >> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577). >> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx >> 2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== >> markus@xxxxxxxxx >> >> >> Regards >> Markus >> >> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message >> news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx >>> >>> When you use ktpass or msktutil you have to specify a different AD object >>> then your samba object and remove the HTTP/... entries as service >>> principal >>> from your samba AD object. If you want to have only one AD object you >>> have >>> to use the net keytab command as described in the wiki. >>> >>> >>> Regards >>> Markus >>> >>> >>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>> news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx >>> Hi >>> Ok. Did that now and I got: >>> >>> kvno HTTP/proxy1.domain.com >>> HTTP/proxy1@xxxxxxxxxx: kvno = 5 >>> >>> This number is different from the the keytab number. >>> How do I correct this? >>> >>> Yes I did use samba (net ads join -U adminuserid). Then I tried the >>> msktutil. Then finally ktpass. >>> >>> During the net ads join I got: >>> >>> # net ads join -U userid >>> userid's password: >>> Using short domain name -- DOMAIN >>> DNS update failed! >>> Joined 'PROXY1' to realm 'DOMAIN.COM' >>> >>> Is the DNS update a problem? >>> >>> Regards >>> Umesh >>> >>> >>> >>> >>> >>> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>> >>>> Sorry I forgot to say that you have to do a kinit aduser@REALM before >>>> you >>>> issue the kvno command. Did you use the sambe netjoin command to create >>>> the as account and the keytab ? >>>> >>>> Markus >>>> >>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx >>>> Hi Markus >>>> I've checked with ADSIEDIT and found a single entry for the linux >>>> server named proxy1. >>>> Clicking on it's properties I found the following entries for service >>>> Principal Name: >>>> >>>> >>>> >>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 >>>> >>>> >>>> >>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com >>>> >>>> >>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 >>>> >>>> >>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com >>>> >>>> On the linux box: >>>> >>>> # klist -ekt /etc/squid/HTTP.keytab >>>> Keytab name: FILE:/etc/squid/HTTP.keytab >>>> KVNO Timestamp Principal >>>> ---- ----------------- >>>> -------------------------------------------------------- >>>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour >>>> with HMAC/md5) >>>> >>>> # kvno HTTP/proxy1.domain.com >>>> kvno: Ticket expired while getting credentials for >>>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx >>>> # kvno HTTP/proxy1 >>>> kvno: Ticket expired while getting credentials for >>>> HTTP/proxy1@xxxxxxxxxxxxx >>>> >>>> Should I remove the entry on AD, rejoin the pc to AD and create the >>>> keytab again? >>>> Which mechanism should I use to create the keytab? >>>> Is my DNS correct if the pc came up on AD as proxy1 should it be the >>>> fqdn (proxy1.domain.com)? >>>> >>>> Regards >>>> Umesh >>>> >>>> >>>> >>>> >>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>> >>>>> On AD you can use ADSIEDIT ( >>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) >>>>> to >>>>> search for entries and delete,modify them. The best instructions are >>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>> >>>>> Let me know what you get once you deleted the old entry. Another check >>>>> is >>>>> to use the kvno tool which you should have when you use MIT Kerberos. >>>>> >>>>> #kvno HTTP/fqdn@REALM should give the same number as klist -ekt >>>>> squid.keytab >>>>> e.g. >>>>> >>>>> # klist -ekt /etc/squid/squid.keytab >>>>> Keytab name: FILE:/etc/squid/squid.keytab >>>>> KVNO Timestamp Principal >>>>> ---- ----------------- >>>>> -------------------------------------------------------- >>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with >>>>> HMAC/md5) >>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc >>>>> mode with HMAC/sha1) >>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode >>>>> with >>>>> CRC-32) >>>>> >>>>> #kvno HTTP/opensuse11.suse.home >>>>> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >>>>> >>>>> >>>>> Regards >>>>> Markus >>>>> >>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >>>>> Hi, >>>>> I'm new to this. I've run the following command on the server: >>>>> >>>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b >>>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" >>>>> >>>>> and get >>>>> # >>>>> # LDAPv3 >>>>> # base <OU=name,DC=domain,DC=com> with scope subtree >>>>> # filter: serviceprincipalname=HTTP/fqdn@REALM >>>>> # requesting: ALL >>>>> # >>>>> >>>>> # search result >>>>> >>>>> # numResponses: 1 >>>>> >>>>> Is it possible to check directly on AD if this service principal name >>>>> exits? >>>>> How else can I test if this keytab works? >>>>> If I create a new keytab what is the procedure of getting rid of the >>>>> old one and retesting (what should be done on AD and the linux box)? >>>>> >>>>> Are there any docs that will help me with this? >>>>> >>>>> Sorry for being a pain and thanks again. >>>>> Regards >>>>> Umesh >>>>> >>>>> >>>>> >>>>> >>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>> >>>>>> Can you check with an ldap query (e.g. with ldapadmin from >>>>>> sourceforge) >>>>>> or >>>>>> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you >>>>>> have >>>>>> duplicate entries ? >>>>>> >>>>>> This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will >>>>>> only >>>>>> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I >>>>>> think >>>>>> is >>>>>> not the case with ktpass. >>>>>> >>>>>> >>>>>> Regards >>>>>> Markus >>>>>> >>>>>> >>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I'm trying to get the squid helper squid_kerb_auth to work against >>>>>>> our >>>>>>> Active Directory (win 2003 sp2). >>>>>>> >>>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS >>>>>>> 5.4 >>>>>>> 64 bit. >>>>>>> >>>>>>> Squid Cache: Version 2.7.STABLE7 >>>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>>>>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>>>>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>>>>>> >>>>>>> >>>>>>> A keytab file was create on AD for squid >>>>>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>>>>> >>>>>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>>>>> -pass password -out HTTP.keytab >>>>>>> >>>>>>> Transferred the file on the CentOS server and placed it >>>>>>> in /etc/squid/HTTP.keytab >>>>>>> >>>>>>> >>>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx >>>>>>> >>>>>>> I get the error message: >>>>>>> kinit(v5): Client not found in Kerberos database while getting >>>>>>> initial >>>>>>> credentials >>>>>>> >>>>>>> >>>>>>> I've also tried creating the keytab file using >>>>>>> msktutil or samba according to the following doc: >>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>>> >>>>>>> I get the same error. >>>>>>> >>>>>>> How do I sort out this problem? >>>>>>> >>>>>>> Thanks in advance. >>>>>>> Regards >>>>>>> Umesh >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > >
