Hi Markus, I have already defined Windows Server as WINS and DNS for windows client. I check again the messages between IE8 and Windows Server and I verify there are AS-REQ, AS-REP, TGS-REQ and TGS-REP packages (for non domain member). To me, seems like the API SSPI, that firefox use, first try NTLM and second try kerberos. But firefox deny the second try. And i don't know how to sort out this problem. Regards Jose Markus Moeller wrote: > Firstly for non domain members you can not get SSO with > Negotiate/Kerberos (as far as I know). When you get the popup > asking for a username/password and you provide user@DOMAIN with the > password the client tries to find the domain controller using some > Windows protocols. I think if unsuccessful it will try NTLM with its > hostname as domain. To help the client finding the AD domain > controller you should provide via DHCP or hardcoded a WINS server > which has the domain information. > > Regards > Markus > > > "Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message > news:4B56F8D7.4060704@xxxxxxxxxxxxxxxxx >> Hi Markus, >> >> Using firefox at windows machine (not domain member) >> - kerbtray don't show any credentials >> - I don't have traffic at port 88. >> - Don't work. >> >> Using IE8 at windows machine (not domain member) >> - kerbtray don't show any credentials >> - At port 88 there are a TGS-REQ and a TGS-REP >> - It works >> >> Using firefox at windows machine (domain member of windows server) >> - kerbtray show me the user principal and the service principal >> HTTP/squid.domain. >> - At port 88 there are a TGS-REQ and a TGS-REP >> - It works >> >> Using IE8 at windows machine (domain member of windows server) >> - kerbtray show me the user principal and the service principal >> HTTP/squid.domain. >> - At port 88 there are a TGS-REQ and a TGS-REP >> - It works >> >> Regards >> Jose >> >> Markus Moeller wrote: >>> Hi Jose >>> >>> Can you install kerbtray from the resource kit >>> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en >>> >>> and start it ? It should list if you have got a TGS for >>> HTTP/squid.domain. >>> >>> Also can you capture port 88(Kerberos) traffic on the client with >>> wireshark ? When you login you should see an AS REQ and REP and >>> when firefox authenticates to the proxy you should se a TGS REQ >>> for HTTP/squid.domain. >>> >>> If not can you send me the capture to have a look at it ? >>> >>> Regards Markus >>> >>> "Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message >>> news:4B5596BB.8010103@xxxxxxxxxxxxxxxxx >>>> Hi, >>>> >>>> I have the same problem. I have already set >>>> network.negotiate-auth.trusted-uris to proxy domain. At the >>>> firefox (FF) log appears: 0[825140]: service = squid.domain >>>> 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init >>>> 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain] >>>> 0[825140]: nsHttpNegotiateAuth::GenerateCredentials() >>>> [challenge=Negotiate] 0[825140]: entering >>>> nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length >>>> 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials() >>>> [challenge=Negotiate] 0[825140]: entering >>>> nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart >>>> authentication sequence! >>>> >>>> The http messages between squid an FF are: >>>> >>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >>>> >>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: >>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >>>> >>>> FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >>>> Proxy-Authorization: Negotiate >>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >>>> >>>> SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: >>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >>>> >>>> >>>> I have already IE working, and the http seems similar. >>>> >>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >>>> >>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: >>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >>>> >>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >>>> Proxy-Authorization: Negotiate >>>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >>>> >>>> SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: >>>> squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] >>>> >>>> IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] >>>> Proxy-Authorization: Negotiate >>>> YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...] >>>> >>>> SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info: >>>> Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...] >>>> >>>> >>>> Seems like at first IE use NTLM and at second use kerberos. >>>> >>>> I think FF is similar, but FF don't allow the second iteration. >>>> >>>> How can I put kerberos as first iteration? >>>> >>>> Thanks in advance Regards Jose >>>> >>>> Markus Moeller wrote: >>>>> >>>>> The message parseNegTokenInit failed with rc=102 just means the >>>>> token is not a GSSAPI token wrapped in a SPNEGO token, but a >>>>> plain GSSAPI token. When you use firefox you have to do a kinit >>>>> first to store the AS token in the Kerberos cache for Firefox >>>>> to use and I think Firfox has to be configured with >>>>> network.negotiate-auth.trusted-uris to be set to the domains of >>>>> your proxy server. >>>>> >>>>> Regards Markus >>>>> >>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>> news:c3b47c041001181054n7091ea3aj761a508938de74e3@xxxxxxxxxxxxxxxxx >>>>> Hi Markus Sorry yes you were right, it was DNS. >>>>> >>>>> In our environment we are running two DNS servers. One using MS >>>>> DNS and the other using unix BIND. The linux server was added >>>>> to the unix DNS (with name proxy1.domain.com) but not to the MS >>>>> DNS which was authority for ad.domain.com. Now that I think >>>>> about it our MS DNS has issues doing reverse lookups for IPs >>>>> that the unix DNS is authority for (which in this case was >>>>> proxy1.domain.com). >>>>> >>>>> I changed linux server name to proxy1.ad.domain.com and now the >>>>> squid_kerb_auth_test works. Using your squid_kerb_auth >>>>> (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== >>>>> user@xxxxxxxxxxxxx 2010/01/18 20:25:10| squid_kerb_auth: AF >>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx When I try >>>>> the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I >>>>> get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit >>>>> failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== >>>>> user@xxxxxxxxxxxxx 2010/01/18 20:29:07| squid_kerb_auth: AF >>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx Is the >>>>> parseNegTokenInit failed with rc=102 ok? >>>>> >>>>> I then tried running squid and used Firefox 3.5.7. I got the >>>>> following error from squid cache: >>>>> >>>>> authenticateNegotiateHandleReply: Failed validating user via >>>>> Negotiate. Error returned 'type 1 NTLM token' >>>>> >>>>> Any ideas? Also I don't get any authentication popups for >>>>> userid and password... >>>>> >>>>> A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got >>>>> 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' >>>>> from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth: >>>>> parseNegTokenInit failed with rc=101 2010/01/18 20:47:58| >>>>> squid_kerb_auth: received type 1 NTLM token 2010/01/18 >>>>> 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58| >>>>> cbdataValid: 0x1838d448 2010/01/18 20:47:58| >>>>> helperStatefulHandleRead: 30 bytes from negotiateauthenticator >>>>> #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18 >>>>> 20:47:58| helperStatefulHandleRead: end of reply found >>>>> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18 >>>>> 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58| >>>>> helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58| >>>>> helperStatefulReset: 0x1838d448 2010/01/18 20:47:58| >>>>> StatefulGetFirstAvailable: Running servers 10. 2010/01/18 >>>>> 20:47:58| authenticateNegotiateHandleReply: Failed validating >>>>> user via Negotiate. Error returned 'type 1 NTLM token' >>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated >>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58| >>>>> cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking >>>>> 'http_access deny !password' 2010/01/18 20:47:58| >>>>> aclMatchAclList: checking !password 2010/01/18 20:47:58| >>>>> aclMatchAcl: checking 'acl password proxy_auth REQUIRED' >>>>> 2010/01/18 20:47:58| authenticateValidateUser: Validated >>>>> Auth_user request '0x18648960'. 2010/01/18 20:47:58| >>>>> authenticateNegotiateAuthenticateUser: need to challenge client >>>>> 'received'! 2010/01/18 20:47:58| authenticateValidateUser: >>>>> Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58| >>>>> aclAuthenticated: returning 0 sending authentication challenge. >>>>> 2010/01/18 20:47:58| aclCheck: match found, returning 2 >>>>> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18 >>>>> 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58| >>>>> cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET >>>>> >> http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official >> >>>>> >>>>> >>>>> >>>>> is DENIED, because it matched 'password' >>>>> >>>>> My acl for this was: 'http_access deny !password' >>>>> >>>>> Regards Umesh >>>>> >>>>> 2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>> Can you check your DNS you should get for >>>>>> >>>>>> nslookup name an ip and for the reverse nslookup ip the same >>>>>> name. >>>>>> >>>>>> Which Kerberos libraries do you use ? Heimdal or MIT and >>>>>> which release ? >>>>>> >>>>>> Markus >>>>>> >>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>>> news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx >>>>>> Hi >>>>>> >>>>>> When I tried ./squid_kerb_auth_test proxy1 or >>>>>> ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16 >>>>>> 12:31:47| squid_kerb_auth_test: gss_init_sec_context() >>>>>> failed: Unspecified GSS failure. Minor code may provide more >>>>>> information. Unknown code krb5 7 Token: NULL >>>>>> >>>>>> But I got a token if I used ./squid_kerb_auth_test domain.com >>>>>> or ./squid_kerb_auth_test adserver.domain.com >>>>>> >>>>>> Using this token and squid auth in the same directory I got >>>>>> >>>>>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified >>>>>> GSS failure. Minor code may provide more information. No >>>>>> error BH gss_accept_sec_context() failed: Unspecified GSS >>>>>> failure. Minor code may provide more information. No error >>>>>> >>>>>> Using the same token on the latest compiled squid >>>>>> /usr/local/squid/libexec/squid_kerb_auth -d I got >>>>>> >>>>>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit >>>>>> failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth: >>>>>> gss_accept_sec_context() failed: Unspecified GSS failure. >>>>>> Minor code may provide more information. No error NA >>>>>> gss_accept_sec_context() failed: Unspecified GSS failure. >>>>>> Minor code may provide more information. No error >>>>>> >>>>>> Any ideas? Regards Umesh >>>>>> >>>>>> >>>>>> >>>>>> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>> >>>>>>> There should be a squid_kerb_auth_test application in the >>>>>>> same source directory as squid_kerb_auth. >>>>>>> >>>>>>> Do a kinit user@DOMAIN and then a squid_kerb_auth_test >>>>>>> squid-fqdn which should give you a token like: >>>>>>> >>>>>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >>>>>>> >>>>>>> which you can the use with squid_kerb_auth like >>>>>>> >>>>>>> export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth >>>>>>> -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR >>>>>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid >>>>>>> (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode >>>>>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: >>>>>>> 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx >>>>>>> 2010/01/15 14:40:29| squid_kerb_auth: AF >>>>>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx >>>>>>> >>>>>>> >>>>>>> Regards Markus >>>>>>> >>>>>>> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message >>>>>>> news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx >>>>>>>> >>>>>>>> When you use ktpass or msktutil you have to specify a >>>>>>>> different AD object then your samba object and remove the >>>>>>>> HTTP/... entries as service principal from your samba AD >>>>>>>> object. If you want to have only one AD object you have >>>>>>>> to use the net keytab command as described in the wiki. >>>>>>>> >>>>>>>> >>>>>>>> Regards Markus >>>>>>>> >>>>>>>> >>>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>>>>> news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi Ok. Did that now and I got: >>>>>>>> >>>>>>>> kvno HTTP/proxy1.domain.com HTTP/proxy1@xxxxxxxxxx: kvno >>>>>>>> = 5 >>>>>>>> >>>>>>>> This number is different from the the keytab number. How >>>>>>>> do I correct this? >>>>>>>> >>>>>>>> Yes I did use samba (net ads join -U adminuserid). Then I >>>>>>>> tried the msktutil. Then finally ktpass. >>>>>>>> >>>>>>>> During the net ads join I got: >>>>>>>> >>>>>>>> # net ads join -U userid userid's password: Using short >>>>>>>> domain name -- DOMAIN DNS update failed! Joined 'PROXY1' >>>>>>>> to realm 'DOMAIN.COM' >>>>>>>> >>>>>>>> Is the DNS update a problem? >>>>>>>> >>>>>>>> Regards Umesh >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>>>> >>>>>>>>> Sorry I forgot to say that you have to do a kinit >>>>>>>>> aduser@REALM before you issue the kvno command. Did you >>>>>>>>> use the sambe netjoin command to create the as account >>>>>>>>> and the keytab ? >>>>>>>>> >>>>>>>>> Markus >>>>>>>>> >>>>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in >>>>>>>>> message >>>>>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Markus I've checked with ADSIEDIT and found a single >>>>>>>>> entry for the linux server named proxy1. Clicking on >>>>>>>>> it's properties I found the following entries for >>>>>>>>> service Principal Name: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 >> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com >> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 >> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com >> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On the linux box: >>>>>>>>> >>>>>>>>> # klist -ekt /etc/squid/HTTP.keytab Keytab name: >>>>>>>>> FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal >>>>>>>>> ---- ----------------- >>>>>>>>> -------------------------------------------------------- >>>>>>>>> 7 01/01/70 02:00:00 >>>>>>>>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour with >>>>>>>>> HMAC/md5) >>>>>>>>> >>>>>>>>> # kvno HTTP/proxy1.domain.com kvno: Ticket expired >>>>>>>>> while getting credentials for >>>>>>>>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx # kvno HTTP/proxy1 >>>>>>>>> kvno: Ticket expired while getting credentials for >>>>>>>>> HTTP/proxy1@xxxxxxxxxxxxx >>>>>>>>> >>>>>>>>> Should I remove the entry on AD, rejoin the pc to AD >>>>>>>>> and create the keytab again? Which mechanism should I >>>>>>>>> use to create the keytab? Is my DNS correct if the pc >>>>>>>>> came up on AD as proxy1 should it be the fqdn >>>>>>>>> (proxy1.domain.com)? >>>>>>>>> >>>>>>>>> Regards Umesh >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>>>>> >>>>>>>>>> On AD you can use ADSIEDIT ( >>>>>>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ) to search for entries and delete,modify them. The >>>>>>>>>> best instructions are >>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Let me know what you get once you deleted the old >>>>>>>>>> entry. Another check is to use the kvno tool which >>>>>>>>>> you should have when you use MIT Kerberos. >>>>>>>>>> >>>>>>>>>> #kvno HTTP/fqdn@REALM should give the same number as >>>>>>>>>> klist -ekt squid.keytab e.g. >>>>>>>>>> >>>>>>>>>> # klist -ekt /etc/squid/squid.keytab Keytab name: >>>>>>>>>> FILE:/etc/squid/squid.keytab KVNO Timestamp Principal >>>>>>>>>> ---- ----------------- >>>>>>>>>> -------------------------------------------------------- >>>>>>>>>> 3 11/25/08 20:54:17 >>>>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with >>>>>>>>>> HMAC/md5) 3 11/25/08 20:54:17 >>>>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc >>>>>>>>>> mode with HMAC/sha1) 3 11/25/08 20:54:17 >>>>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode >>>>>>>>>> with CRC-32) >>>>>>>>>> >>>>>>>>>> #kvno HTTP/opensuse11.suse.home >>>>>>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards Markus >>>>>>>>>> >>>>>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in >>>>>>>>>> message >>>>>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, I'm new to this. I've run the following command >>>>>>>>>> on the server: >>>>>>>>>> >>>>>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h >>>>>>>>>> domainfqdn -p 389 -b "OU=name,DC=domain,DC=com" >>>>>>>>>> "serviceprincipalname=HTTP/fqdn@REALM" >>>>>>>>>> >>>>>>>>>> and get # # LDAPv3 # base <OU=name,DC=domain,DC=com> >>>>>>>>>> with scope subtree # filter: >>>>>>>>>> serviceprincipalname=HTTP/fqdn@REALM # requesting: >>>>>>>>>> ALL # >>>>>>>>>> >>>>>>>>>> # search result >>>>>>>>>> >>>>>>>>>> # numResponses: 1 >>>>>>>>>> >>>>>>>>>> Is it possible to check directly on AD if this >>>>>>>>>> service principal name exits? How else can I test if >>>>>>>>>> this keytab works? If I create a new keytab what is >>>>>>>>>> the procedure of getting rid of the old one and >>>>>>>>>> retesting (what should be done on AD and the linux >>>>>>>>>> box)? >>>>>>>>>> >>>>>>>>>> Are there any docs that will help me with this? >>>>>>>>>> >>>>>>>>>> Sorry for being a pain and thanks again. Regards >>>>>>>>>> Umesh >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>>>>>> >>>>>>>>>>> Can you check with an ldap query (e.g. with >>>>>>>>>>> ldapadmin from sourceforge) or search with a filter >>>>>>>>>>> "(serviceprincipalname=HTTP/fqdn@REALM)" if you >>>>>>>>>>> have duplicate entries ? >>>>>>>>>>> >>>>>>>>>>> This kinit -k -t /etc/squid/squid.keytab >>>>>>>>>>> HTTP/fqdn@xxxxxxxxxxxxxx will only work if the >>>>>>>>>>> userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx >>>>>>>>>>> which I think is not the case with ktpass. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Regards Markus >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in >>>>>>>>>>> message >>>>>>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> I'm trying to get the squid helper >>>>>>>>>>>> squid_kerb_auth to work against our Active >>>>>>>>>>>> Directory (win 2003 sp2). >>>>>>>>>>>> >>>>>>>>>>>> I've compiled the latest squid version >>>>>>>>>>>> (squid-2.7.STABLE7)on CentOS 5.4 64 bit. >>>>>>>>>>>> >>>>>>>>>>>> Squid Cache: Version 2.7.STABLE7 configure >>>>>>>>>>>> options: '--prefix=/usr/local/squid' >>>>>>>>>>>> '--disable-wccp' '--disable-wccpv2' >>>>>>>>>>>> '--enable-large-cache-files' '--with-large-files' >>>>>>>>>>>> '--enable-delay-pools' >>>>>>>>>>>> '--enable-cachemgr-hostname' '=fqdn' >>>>>>>>>>>> '--enable-ntlm-auth-helpers=SMB' >>>>>>>>>>>> '--enable-auth=basic,ntlm,negotiate' >>>>>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' >>>>>>>>>>>> '--enable-snmp' >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> A keytab file was create on AD for squid >>>>>>>>>>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>>>>>>>>>> >>>>>>>>>>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>>>>>>>>>> -pass password -out HTTP.keytab >>>>>>>>>>>> >>>>>>>>>>>> Transferred the file on the CentOS server and >>>>>>>>>>>> placed it in /etc/squid/HTTP.keytab >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> kinit -k -t /etc/squid/squid.keytab >>>>>>>>>>>> HTTP/fqdn@xxxxxxxxxxxxxx >>>>>>>>>>>> >>>>>>>>>>>> I get the error message: kinit(v5): Client not >>>>>>>>>>>> found in Kerberos database while getting initial >>>>>>>>>>>> credentials >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I've also tried creating the keytab file using >>>>>>>>>>>> msktutil or samba according to the following doc: >>>>>>>>>>>> >>>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I get the same error. >>>>>>>>>>>> >>>>>>>>>>>> How do I sort out this problem? >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance. Regards Umesh >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>> >> >> > >
