Hi Markus, Using firefox at windows machine (not domain member) - kerbtray don't show any credentials - I don't have traffic at port 88. - Don't work. Using IE8 at windows machine (not domain member) - kerbtray don't show any credentials - At port 88 there are a TGS-REQ and a TGS-REP - It works Using firefox at windows machine (domain member of windows server) - kerbtray show me the user principal and the service principal HTTP/squid.domain. - At port 88 there are a TGS-REQ and a TGS-REP - It works Using IE8 at windows machine (domain member of windows server) - kerbtray show me the user principal and the service principal HTTP/squid.domain. - At port 88 there are a TGS-REQ and a TGS-REP - It works Regards Jose Markus Moeller wrote: > Hi Jose > > Can you install kerbtray from the resource kit > http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en > and start it ? It should list if you have got a TGS for > HTTP/squid.domain. > > Also can you capture port 88(Kerberos) traffic on the client with > wireshark ? When you login you should see an AS REQ and REP and > when firefox authenticates to the proxy you should se a TGS REQ > for HTTP/squid.domain. > > If not can you send me the capture to have a look at it ? > > Regards Markus > > "Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message > news:4B5596BB.8010103@xxxxxxxxxxxxxxxxx >> Hi, >> >> I have the same problem. I have already set >> network.negotiate-auth.trusted-uris to proxy domain. At the >> firefox (FF) log appears: 0[825140]: service = squid.domain >> 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init >> 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain] >> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials() >> [challenge=Negotiate] 0[825140]: entering >> nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length >> 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials() >> [challenge=Negotiate] 0[825140]: entering >> nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart >> authentication sequence! >> >> The http messages between squid an FF are: >> >> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >> >> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: >> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >> >> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >> Proxy-Authorization: Negotiate >> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >> >> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: >> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >> >> >> I have already IE working, and the http seems similar. >> >> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >> >> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: >> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >> >> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >> Proxy-Authorization: Negotiate >> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >> >> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: >> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >> >> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >> Proxy-Authorization: Negotiate >> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...] >> >> SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info: >> Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...] >> >> >> Seems like at first IE use NTLM and at second use kerberos. >> >> I think FF is similar, but FF don't allow the second iteration. >> >> How can I put kerberos as first iteration? >> >> Thanks in advance Regards Jose >> >> Markus Moeller wrote: >>> >>> The message parseNegTokenInit failed with rc=102 just means the >>> token is not a GSSAPI token wrapped in a SPNEGO token, but a >>> plain GSSAPI token. When you use firefox you have to do a kinit >>> first to store the AS token in the Kerberos cache for Firefox >>> to use and I think Firfox has to be configured with >>> network.negotiate-auth.trusted-uris to be set to the domains of >>> your proxy server. >>> >>> Regards Markus >>> >>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>> news:c3b47c041001181054n7091ea3aj761a508938de74e3@xxxxxxxxxxxxxxxxx >>> Hi Markus Sorry yes you were right, it was DNS. >>> >>> In our environment we are running two DNS servers. One using MS >>> DNS and the other using unix BIND. The linux server was added >>> to the unix DNS (with name proxy1.domain.com) but not to the MS >>> DNS which was authority for ad.domain.com. Now that I think >>> about it our MS DNS has issues doing reverse lookups for IPs >>> that the unix DNS is authority for (which in this case was >>> proxy1.domain.com). >>> >>> I changed linux server name to proxy1.ad.domain.com and now the >>> squid_kerb_auth_test works. Using your squid_kerb_auth >>> (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== >>> user@xxxxxxxxxxxxx 2010/01/18 20:25:10| squid_kerb_auth: AF >>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx When I try >>> the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I >>> get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit >>> failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== >>> user@xxxxxxxxxxxxx 2010/01/18 20:29:07| squid_kerb_auth: AF >>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx Is the >>> parseNegTokenInit failed with rc=102 ok? >>> >>> I then tried running squid and used Firefox 3.5.7. I got the >>> following error from squid cache: >>> >>> authenticateNegotiateHandleReply: Failed validating user via >>> Negotiate. Error returned 'type 1 NTLM token' >>> >>> Any ideas? Also I don't get any authentication popups for >>> userid and password... >>> >>> A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got >>> 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' >>> from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth: >>> parseNegTokenInit failed with rc=101 2010/01/18 20:47:58| >>> squid_kerb_auth: received type 1 NTLM token 2010/01/18 >>> 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58| >>> cbdataValid: 0x1838d448 2010/01/18 20:47:58| >>> helperStatefulHandleRead: 30 bytes from negotiateauthenticator >>> #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18 >>> 20:47:58| helperStatefulHandleRead: end of reply found >>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18 >>> 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58| >>> helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58| >>> helperStatefulReset: 0x1838d448 2010/01/18 20:47:58| >>> StatefulGetFirstAvailable: Running servers 10. 2010/01/18 >>> 20:47:58| authenticateNegotiateHandleReply: Failed validating >>> user via Negotiate. Error returned 'type 1 NTLM token' >>> 2010/01/18 20:47:58| authenticateValidateUser: Validated >>> Auth_user request '0x18648960'. 2010/01/18 20:47:58| >>> cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking >>> 'http_access deny !password' 2010/01/18 20:47:58| >>> aclMatchAclList: checking !password 2010/01/18 20:47:58| >>> aclMatchAcl: checking 'acl password proxy_auth REQUIRED' >>> 2010/01/18 20:47:58| authenticateValidateUser: Validated >>> Auth_user request '0x18648960'. 2010/01/18 20:47:58| >>> authenticateNegotiateAuthenticateUser: need to challenge client >>> 'received'! 2010/01/18 20:47:58| authenticateValidateUser: >>> Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58| >>> aclAuthenticated: returning 0 sending authentication challenge. >>> 2010/01/18 20:47:58| aclCheck: match found, returning 2 >>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18 >>> 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58| >>> cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET >>> http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official >>> >>> >>> >>> is DENIED, because it matched 'password' >>> >>> My acl for this was: 'http_access deny !password' >>> >>> Regards Umesh >>> >>> 2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>> Can you check your DNS you should get for >>>> >>>> nslookup name an ip and for the reverse nslookup ip the same >>>> name. >>>> >>>> Which Kerberos libraries do you use ? Heimdal or MIT and >>>> which release ? >>>> >>>> Markus >>>> >>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>> news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx >>>> Hi >>>> >>>> When I tried ./squid_kerb_auth_test proxy1 or >>>> ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16 >>>> 12:31:47| squid_kerb_auth_test: gss_init_sec_context() >>>> failed: Unspecified GSS failure. Minor code may provide more >>>> information. Unknown code krb5 7 Token: NULL >>>> >>>> But I got a token if I used ./squid_kerb_auth_test domain.com >>>> or ./squid_kerb_auth_test adserver.domain.com >>>> >>>> Using this token and squid auth in the same directory I got >>>> >>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified >>>> GSS failure. Minor code may provide more information. No >>>> error BH gss_accept_sec_context() failed: Unspecified GSS >>>> failure. Minor code may provide more information. No error >>>> >>>> Using the same token on the latest compiled squid >>>> /usr/local/squid/libexec/squid_kerb_auth -d I got >>>> >>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit >>>> failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth: >>>> gss_accept_sec_context() failed: Unspecified GSS failure. >>>> Minor code may provide more information. No error NA >>>> gss_accept_sec_context() failed: Unspecified GSS failure. >>>> Minor code may provide more information. No error >>>> >>>> Any ideas? Regards Umesh >>>> >>>> >>>> >>>> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>> >>>>> There should be a squid_kerb_auth_test application in the >>>>> same source directory as squid_kerb_auth. >>>>> >>>>> Do a kinit user@DOMAIN and then a squid_kerb_auth_test >>>>> squid-fqdn which should give you a token like: >>>>> >>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >>>>> >>>>> which you can the use with squid_kerb_auth like >>>>> >>>>> export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth >>>>> -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR >>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid >>>>> (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode >>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: >>>>> 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx >>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF >>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx >>>>> >>>>> >>>>> Regards Markus >>>>> >>>>> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message >>>>> news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx >>>>>> >>>>>> When you use ktpass or msktutil you have to specify a >>>>>> different AD object then your samba object and remove the >>>>>> HTTP/... entries as service principal from your samba AD >>>>>> object. If you want to have only one AD object you have >>>>>> to use the net keytab command as described in the wiki. >>>>>> >>>>>> >>>>>> Regards Markus >>>>>> >>>>>> >>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx >>>>>> >>>>>> >>>>>> Hi Ok. Did that now and I got: >>>>>> >>>>>> kvno HTTP/proxy1.domain.com HTTP/proxy1@xxxxxxxxxx: kvno >>>>>> = 5 >>>>>> >>>>>> This number is different from the the keytab number. How >>>>>> do I correct this? >>>>>> >>>>>> Yes I did use samba (net ads join -U adminuserid). Then I >>>>>> tried the msktutil. Then finally ktpass. >>>>>> >>>>>> During the net ads join I got: >>>>>> >>>>>> # net ads join -U userid userid's password: Using short >>>>>> domain name -- DOMAIN DNS update failed! Joined 'PROXY1' >>>>>> to realm 'DOMAIN.COM' >>>>>> >>>>>> Is the DNS update a problem? >>>>>> >>>>>> Regards Umesh >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>> >>>>>>> Sorry I forgot to say that you have to do a kinit >>>>>>> aduser@REALM before you issue the kvno command. Did you >>>>>>> use the sambe netjoin command to create the as account >>>>>>> and the keytab ? >>>>>>> >>>>>>> Markus >>>>>>> >>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in >>>>>>> message >>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx >>>>>>> >>>>>>> >>>>>>> Hi Markus I've checked with ADSIEDIT and found a single >>>>>>> entry for the linux server named proxy1. Clicking on >>>>>>> it's properties I found the following entries for >>>>>>> service Principal Name: >>>>>>> >>>>>>> >>>>>>> >>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On the linux box: >>>>>>> >>>>>>> # klist -ekt /etc/squid/HTTP.keytab Keytab name: >>>>>>> FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal >>>>>>> ---- ----------------- >>>>>>> -------------------------------------------------------- >>>>>>> 7 01/01/70 02:00:00 >>>>>>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour with >>>>>>> HMAC/md5) >>>>>>> >>>>>>> # kvno HTTP/proxy1.domain.com kvno: Ticket expired >>>>>>> while getting credentials for >>>>>>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx # kvno HTTP/proxy1 >>>>>>> kvno: Ticket expired while getting credentials for >>>>>>> HTTP/proxy1@xxxxxxxxxxxxx >>>>>>> >>>>>>> Should I remove the entry on AD, rejoin the pc to AD >>>>>>> and create the keytab again? Which mechanism should I >>>>>>> use to create the keytab? Is my DNS correct if the pc >>>>>>> came up on AD as proxy1 should it be the fqdn >>>>>>> (proxy1.domain.com)? >>>>>>> >>>>>>> Regards Umesh >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>>> >>>>>>>> On AD you can use ADSIEDIT ( >>>>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx >>>>>>>> >>>>>>>> >>>>>>>> ) to search for entries and delete,modify them. The >>>>>>>> best instructions are >>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>>>> >>>>>>>> >>>>>>>> Let me know what you get once you deleted the old >>>>>>>> entry. Another check is to use the kvno tool which >>>>>>>> you should have when you use MIT Kerberos. >>>>>>>> >>>>>>>> #kvno HTTP/fqdn@REALM should give the same number as >>>>>>>> klist -ekt squid.keytab e.g. >>>>>>>> >>>>>>>> # klist -ekt /etc/squid/squid.keytab Keytab name: >>>>>>>> FILE:/etc/squid/squid.keytab KVNO Timestamp Principal >>>>>>>> ---- ----------------- >>>>>>>> -------------------------------------------------------- >>>>>>>> 3 11/25/08 20:54:17 >>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with >>>>>>>> HMAC/md5) 3 11/25/08 20:54:17 >>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc >>>>>>>> mode with HMAC/sha1) 3 11/25/08 20:54:17 >>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode >>>>>>>> with CRC-32) >>>>>>>> >>>>>>>> #kvno HTTP/opensuse11.suse.home >>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >>>>>>>> >>>>>>>> >>>>>>>> Regards Markus >>>>>>>> >>>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in >>>>>>>> message >>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >>>>>>>> >>>>>>>> >>>>>>>> Hi, I'm new to this. I've run the following command >>>>>>>> on the server: >>>>>>>> >>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h >>>>>>>> domainfqdn -p 389 -b "OU=name,DC=domain,DC=com" >>>>>>>> "serviceprincipalname=HTTP/fqdn@REALM" >>>>>>>> >>>>>>>> and get # # LDAPv3 # base <OU=name,DC=domain,DC=com> >>>>>>>> with scope subtree # filter: >>>>>>>> serviceprincipalname=HTTP/fqdn@REALM # requesting: >>>>>>>> ALL # >>>>>>>> >>>>>>>> # search result >>>>>>>> >>>>>>>> # numResponses: 1 >>>>>>>> >>>>>>>> Is it possible to check directly on AD if this >>>>>>>> service principal name exits? How else can I test if >>>>>>>> this keytab works? If I create a new keytab what is >>>>>>>> the procedure of getting rid of the old one and >>>>>>>> retesting (what should be done on AD and the linux >>>>>>>> box)? >>>>>>>> >>>>>>>> Are there any docs that will help me with this? >>>>>>>> >>>>>>>> Sorry for being a pain and thanks again. Regards >>>>>>>> Umesh >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>>>> >>>>>>>>> Can you check with an ldap query (e.g. with >>>>>>>>> ldapadmin from sourceforge) or search with a filter >>>>>>>>> "(serviceprincipalname=HTTP/fqdn@REALM)" if you >>>>>>>>> have duplicate entries ? >>>>>>>>> >>>>>>>>> This kinit -k -t /etc/squid/squid.keytab >>>>>>>>> HTTP/fqdn@xxxxxxxxxxxxxx will only work if the >>>>>>>>> userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx >>>>>>>>> which I think is not the case with ktpass. >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards Markus >>>>>>>>> >>>>>>>>> >>>>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in >>>>>>>>> message >>>>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I'm trying to get the squid helper >>>>>>>>>> squid_kerb_auth to work against our Active >>>>>>>>>> Directory (win 2003 sp2). >>>>>>>>>> >>>>>>>>>> I've compiled the latest squid version >>>>>>>>>> (squid-2.7.STABLE7)on CentOS 5.4 64 bit. >>>>>>>>>> >>>>>>>>>> Squid Cache: Version 2.7.STABLE7 configure >>>>>>>>>> options: '--prefix=/usr/local/squid' >>>>>>>>>> '--disable-wccp' '--disable-wccpv2' >>>>>>>>>> '--enable-large-cache-files' '--with-large-files' >>>>>>>>>> '--enable-delay-pools' >>>>>>>>>> '--enable-cachemgr-hostname' '=fqdn' >>>>>>>>>> '--enable-ntlm-auth-helpers=SMB' >>>>>>>>>> '--enable-auth=basic,ntlm,negotiate' >>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' >>>>>>>>>> '--enable-snmp' >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> A keytab file was create on AD for squid >>>>>>>>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>>>>>>>> >>>>>>>>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>>>>>>>> -pass password -out HTTP.keytab >>>>>>>>>> >>>>>>>>>> Transferred the file on the CentOS server and >>>>>>>>>> placed it in /etc/squid/HTTP.keytab >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> kinit -k -t /etc/squid/squid.keytab >>>>>>>>>> HTTP/fqdn@xxxxxxxxxxxxxx >>>>>>>>>> >>>>>>>>>> I get the error message: kinit(v5): Client not >>>>>>>>>> found in Kerberos database while getting initial >>>>>>>>>> credentials >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I've also tried creating the keytab file using >>>>>>>>>> msktutil or samba according to the following doc: >>>>>>>>>> >>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I get the same error. >>>>>>>>>> >>>>>>>>>> How do I sort out this problem? >>>>>>>>>> >>>>>>>>>> Thanks in advance. Regards Umesh >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> > >
