Dear Markus/all,
I am unable to create the keytab using mskutil please help me out i followed the following steps:
1. I created a OU and named it UnixOU
2. I created a group account in the UnixOU and named it as UnixAdmins
3. I make my windows account bilal_admin part of UnixAdmins group.
4. I set the settings of UnixOU to be managed by UnixAdmins.
5. Then i synch time of Squid Machine and Active directory.
6. My domain fully qualified domain name is v.local and netbios names is V.
7. My domain controller name is vdc (fqdn=vdc.v.local)
8. The following lines were changed in the krb5.conf while rest being untouched.
[libdefaults]
default_realm=V.LOCAL
[realms]
V.LOCAL = {
kdc = vdc.v.local:88
admin_server = kerberos.example.com:749 (e.g this not changed does it matter at the step of creation of keytab)
default_domain = example.com (unchanged)
}
The i run the following commands to create the keytab:
kinit squidadmin@xxxxxxx
msktutil -c -b "OU=unixPrincipals" -s HTTP/v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server vdc.v.local --verbose
Output of the Command:
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP/v.local@xxxxxxx
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-3550krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential cache: /tmp/.mskt-3550krb5_ccache
-- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_keytab: Unable to authenticate using the local keytab
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
SASL/GSSAPI authentication started
SASL username: squidadmin@xxxxxxx
SASL SSF: 56
SASL installing layers
-- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local
Warning: No DNS entry found for squidLhrTest.v.local
-- get_short_hostname: Determined short hostname: squidLhrTest-v-local
-- finalize_exec: SAM Account Name is: squid-http$
Updating all entries for squidLhrTest.v.local in the keytab /etc/squid/HTTP.keytab
-- try_set_password: Attempting to reset computer's password
-- ldap_check_account: Checking that a computer account for squid-http$ exists
No computer account for squid-http found, creating a new one.
Error: ldap_add_ext_s failed (Insufficient access)
Error: ldap_check_account failed (No CSI structure available)
Error: set_password failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
please help me resolving the issue.
regards,
Bilal Aslam
----------------------------------------
> To: squid-users@xxxxxxxxxxxxxxx
> From: huaraz@xxxxxxxxxxxxxxxx
> Date: Fri, 9 Apr 2010 08:10:19 +0100
> Subject: Re: Re: Creating a kerberos Service Principal.
>
> Hi Bilal,
>
> I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
> then create a Windows Group UnixAdministrators and add the Windows account
> of the UnixAdministrators to it. Finally I change the permissions on the
> OU=UnixPrincipals so that the members of the group UnixAdministrators have
> full rights (or limited rights ) for objects under this OU.
>
> Regards
> Markus
>
> "GIGO ." wrote in message
> news:SNT134-w395B3433738667DED2186EB9150@xxxxxxxxxx
>
> Markus could not get you please can you elaborate a bit.
>
>
> thank you all!
>
> regards,
>
> Bilal
>
> ----------------------------------------
>> To: squid-users@xxxxxxxxxxxxxxx
>> From: huaraz@xxxxxxxxxxxxxxxx
>> Date: Thu, 8 Apr 2010 20:04:30 +0100
>> Subject: Re: Creating a kerberos Service Principal.
>>
>> BTW You do not need Administrator rights. You can set permission for
>> different Groups on OUs for example for Unix Kerberos Admins.
>>
>> Markus
>>
>> "Khaled Blah" wrote in message
>> news:n2j4a3250ab1004080957id2f4a051xb31445428c62bea0@xxxxxxxxxxxxxxxxx
>> Hi Bilal,
>>
>> 1. ktpass and msktutil practically do the same, they create keytabs
>> which include the keys that squid will need to decrypt the ticket it
>> receives from the user. However ktpass only creates a file which you
>> will then have to securely transfer to your proxy server so that squid
>> can access it. Using msktutil on your proxy server, you can get the
>> same keytab without having to transfer it. Thus, msktutil saves you
>> some time and hassle. AFAIR both need "Administrator" rights, which
>> means the account used for ktpass/msktutil needs to be a member of the
>> Administrator group.
>>
>>
>> 2. To answer this question, one would need more information about your
>> network and your setup. Basically, mixing any other authentication
>> method with Kerberos is not a good idea. That's because if the other
>> method is insecure or less secure an attacker who gains access to a
>> user's credentials will be able to impersonate that user against
>> Kerberos and those be able to use ALL services that this user has
>> access to. In any case DO NOT use basic auth with Kerberos in a
>> public, set-up. That's a recipe for disaster. Digest auth and NTLM
>> (v2) might be suitable but these are in fact less secure than Kerberos
>> and thus not preferrable. One down-side to Kerberos is that it's an
>> "all-or-nothing" service, either you use Kerberos and only Kerberos or
>> you risk security breaches in any "mixed" situation.
>>
>> HTH
>>
>> Khaled
>>
>> 2010/4/6 GIGO . :
>>>
>>> Dear All,
>>>
>>> Please guide me in regard to SSO setup with Active Directory(No
>>> winbind/Samba). I have the following questions in this regard.
>>>
>>>
>>>
>>> 1. Creating a Kerberos service principal and keytab file that is used by
>>> the Squid what is the effective method? Difference between using Ktpass
>>> vs
>>> Msktutil package? What rights would i be required in Active Directory and
>>> if none then why so?
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2. How to configure the fallback Authentication scheme if Kerberos fails?
>>> Ldap authentication using basic looks to be an option but isnt it less
>>> secure? is there a better approach possible.
>>>
>>>
>>>
>>>
>>> regards,
>>>
>>> Bilal Aslam
>>> _________________________________________________________________
>>> Hotmail: Powerful Free email with security by Microsoft.
>>> https://signup.live.com/signup.aspx?id=60969
>>
>>
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> https://signup.live.com/signup.aspx?id=60969
>
>
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
