Dear Nick, I was able to successfully create the keytab however i used the credentials of the domainadmin instead of the squidadmin account. Markus, Please tell me what i am doing wrong that i am unable to create keytab with squidadmin account though i tried to do according to your guidance. what i am missing? please guide regards, Bilal Aslam ---------------------------------------- > From: gigoz@xxxxxxx > To: nick.cairncross@xxxxxxxxxxxxxxx; huaraz@xxxxxxxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx > Date: Thu, 15 Apr 2010 10:17:40 +0000 > Subject: RE: Re: Re: Creating a kerberos Service Principal. > > > Nick, > > I tried but with not much success. > > ................. > No computer account for squid-http found, creating a new one. > Error: ldap_add_ext_s failed (Insufficient access) > Error: ldap_check_account failed (No CSI structure available) > Error: set_password failed > -- krb5_cleanup: Destroying Kerberos Context > -- ldap_cleanup: Disconnecting from LDAP server > -- init_password: Wiping the computer password structure > ............................... > > > > > regards, > > > Bilal > ---------------------------------------- >> From: Nick.Cairncross@xxxxxxxxxxxxxxx >> To: gigoz@xxxxxxx; huaraz@xxxxxxxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx >> Date: Thu, 15 Apr 2010 09:31:40 +0100 >> Subject: Re: Re: Re: Creating a kerberos Service Principal. >> >> Bilal, >> >> I think we're doing a similar thing here! See my post earlier about SPN. I think you need to be using the fqdn of the machine in the HTTP/ spn & upn and not just the domain. Also check your DNS and host local host entries. >> >> E.g.: msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose >> >> Nick >> >> >> >> On 15/04/2010 07:22, "GIGO ." wrote: >> >> >> >> Dear Markus/all, >> >> >> I am unable to create the keytab using mskutil please help me out i followed the following steps: >> >> 1. I created a OU and named it UnixOU >> 2. I created a group account in the UnixOU and named it as UnixAdmins >> 3. I make my windows account bilal_admin part of UnixAdmins group. >> 4. I set the settings of UnixOU to be managed by UnixAdmins. >> 5. Then i synch time of Squid Machine and Active directory. >> 6. My domain fully qualified domain name is v.local and netbios names is V. >> 7. My domain controller name is vdc (fqdn=vdc.v.local) >> 8. The following lines were changed in the krb5.conf while rest being untouched. >> >> [libdefaults] >> default_realm=V.LOCAL >> >> >> [realms] >> >> V.LOCAL = { >> kdc = vdc.v.local:88 >> admin_server = kerberos.example.com:749 (e.g this not changed does it matter at the step of creation of keytab) >> default_domain = example.com (unchanged) >> } >> >> >> >> >> The i run the following commands to create the keytab: >> >> kinit squidadmin@xxxxxxx >> >> >> msktutil -c -b "OU=unixPrincipals" -s HTTP/v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server vdc.v.local --verbose >> >> Output of the Command: >> >> -- init_password: Wiping the computer password structure >> -- finalize_exec: Determining user principal name >> -- finalize_exec: User Principal Name is: HTTP/v.local@xxxxxxx >> -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-3550krb5.conf >> -- get_krb5_context: Creating Kerberos Context >> -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-3550krb5_ccache >> -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >> -- try_machine_keytab: Unable to authenticate using the local keytab >> -- try_ldap_connect: Connecting to LDAP server: vdc.v.local >> -- try_ldap_connect: Connecting to LDAP server: vdc.v.local >> SASL/GSSAPI authentication started >> SASL username: squidadmin@xxxxxxx >> SASL SSF: 56 >> SASL installing layers >> -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local >> Warning: No DNS entry found for squidLhrTest.v.local >> -- get_short_hostname: Determined short hostname: squidLhrTest-v-local >> -- finalize_exec: SAM Account Name is: squid-http$ >> Updating all entries for squidLhrTest.v.local in the keytab /etc/squid/HTTP.keytab >> -- try_set_password: Attempting to reset computer's password >> -- ldap_check_account: Checking that a computer account for squid-http$ exists >> No computer account for squid-http found, creating a new one. >> Error: ldap_add_ext_s failed (Insufficient access) >> Error: ldap_check_account failed (No CSI structure available) >> Error: set_password failed >> -- krb5_cleanup: Destroying Kerberos Context >> -- ldap_cleanup: Disconnecting from LDAP server >> -- init_password: Wiping the computer password structure >> >> >> please help me resolving the issue. >> >> regards, >> >> Bilal Aslam >> >> >> >> >> ---------------------------------------- >>> To: squid-users@xxxxxxxxxxxxxxx >>> From: huaraz@xxxxxxxxxxxxxxxx >>> Date: Fri, 9 Apr 2010 08:10:19 +0100 >>> Subject: Re: Re: Creating a kerberos Service Principal. >>> >>> Hi Bilal, >>> >>> I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I >>> then create a Windows Group UnixAdministrators and add the Windows account >>> of the UnixAdministrators to it. Finally I change the permissions on the >>> OU=UnixPrincipals so that the members of the group UnixAdministrators have >>> full rights (or limited rights ) for objects under this OU. >>> >>> Regards >>> Markus >>> >>> "GIGO ." wrote in message >>> news:SNT134-w395B3433738667DED2186EB9150@xxxxxxxxxx >>> >>> Markus could not get you please can you elaborate a bit. >>> >>> >>> thank you all! >>> >>> regards, >>> >>> Bilal >>> >>> ---------------------------------------- >>>> To: squid-users@xxxxxxxxxxxxxxx >>>> From: huaraz@xxxxxxxxxxxxxxxx >>>> Date: Thu, 8 Apr 2010 20:04:30 +0100 >>>> Subject: Re: Creating a kerberos Service Principal. >>>> >>>> BTW You do not need Administrator rights. You can set permission for >>>> different Groups on OUs for example for Unix Kerberos Admins. >>>> >>>> Markus >>>> >>>> "Khaled Blah" wrote in message >>>> news:n2j4a3250ab1004080957id2f4a051xb31445428c62bea0@xxxxxxxxxxxxxxxxx >>>> Hi Bilal, >>>> >>>> 1. ktpass and msktutil practically do the same, they create keytabs >>>> which include the keys that squid will need to decrypt the ticket it >>>> receives from the user. However ktpass only creates a file which you >>>> will then have to securely transfer to your proxy server so that squid >>>> can access it. Using msktutil on your proxy server, you can get the >>>> same keytab without having to transfer it. Thus, msktutil saves you >>>> some time and hassle. AFAIR both need "Administrator" rights, which >>>> means the account used for ktpass/msktutil needs to be a member of the >>>> Administrator group. >>>> >>>> >>>> 2. To answer this question, one would need more information about your >>>> network and your setup. Basically, mixing any other authentication >>>> method with Kerberos is not a good idea. That's because if the other >>>> method is insecure or less secure an attacker who gains access to a >>>> user's credentials will be able to impersonate that user against >>>> Kerberos and those be able to use ALL services that this user has >>>> access to. In any case DO NOT use basic auth with Kerberos in a >>>> public, set-up. That's a recipe for disaster. Digest auth and NTLM >>>> (v2) might be suitable but these are in fact less secure than Kerberos >>>> and thus not preferrable. One down-side to Kerberos is that it's an >>>> "all-or-nothing" service, either you use Kerberos and only Kerberos or >>>> you risk security breaches in any "mixed" situation. >>>> >>>> HTH >>>> >>>> Khaled >>>> >>>> 2010/4/6 GIGO . : >>>>> >>>>> Dear All, >>>>> >>>>> Please guide me in regard to SSO setup with Active Directory(No >>>>> winbind/Samba). I have the following questions in this regard. >>>>> >>>>> >>>>> >>>>> 1. Creating a Kerberos service principal and keytab file that is used by >>>>> the Squid what is the effective method? Difference between using Ktpass >>>>> vs >>>>> Msktutil package? What rights would i be required in Active Directory and >>>>> if none then why so? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2. How to configure the fallback Authentication scheme if Kerberos fails? >>>>> Ldap authentication using basic looks to be an option but isnt it less >>>>> secure? is there a better approach possible. >>>>> >>>>> >>>>> >>>>> >>>>> regards, >>>>> >>>>> Bilal Aslam >>>>> _________________________________________________________________ >>>>> Hotmail: Powerful Free email with security by Microsoft. >>>>> https://signup.live.com/signup.aspx?id=60969 >>>> >>>> >>> _________________________________________________________________ >>> Hotmail: Powerful Free email with security by Microsoft. >>> https://signup.live.com/signup.aspx?id=60969 >>> >>> >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> https://signup.live.com/signup.aspx?id=60969 >> >> >> ** Please consider the environment before printing this e-mail ** >> >> The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. >> >> Company Registration details: >> The Conde Nast Publications Ltd >> Vogue House >> Hanover Square >> London W1S 1JU >> >> Registered in London No. 226900 > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > https://signup.live.com/signup.aspx?id=60969 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969