Hi Bilal,
Is the squidadmin user member of the UnixAdmins group ?
Regards
Markus
"GIGO ." <gigoz@xxxxxxx> wrote in message
news:SNT134-w374039F11C582486D8169B90F0@xxxxxxxxxx
Dear Markus/all,
I am unable to create the keytab using mskutil please help me out i followed
the following steps:
1. I created a OU and named it UnixOU
2. I created a group account in the UnixOU and named it as UnixAdmins
3. I make my windows account bilal_admin part of UnixAdmins group.
4. I set the settings of UnixOU to be managed by UnixAdmins.
5. Then i synch time of Squid Machine and Active directory.
6. My domain fully qualified domain name is v.local and netbios names is V.
7. My domain controller name is vdc (fqdn=vdc.v.local)
8. The following lines were changed in the krb5.conf while rest being
untouched.
[libdefaults]
default_realm=V.LOCAL
[realms]
V.LOCAL = {
kdc = vdc.v.local:88
admin_server = kerberos.example.com:749 (e.g this not changed
does it matter at the step of creation of keytab)
default_domain = example.com (unchanged)
}
The i run the following commands to create the keytab:
kinit squidadmin@xxxxxxx
msktutil -c -b "OU=unixPrincipals" -s HTTP/v.local -h
squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name
squid-http --upn HTTP/v.local --server vdc.v.local --verbose
Output of the Command:
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP/v.local@xxxxxxx
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.mskt-3550krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential cache:
/tmp/.mskt-3550krb5_ccache
-- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found
in Kerberos database)
-- try_machine_keytab: Unable to authenticate using the local keytab
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
-- try_ldap_connect: Connecting to LDAP server: vdc.v.local
SASL/GSSAPI authentication started
SASL username: squidadmin@xxxxxxx
SASL SSF: 56
SASL installing layers
-- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local
Warning: No DNS entry found for squidLhrTest.v.local
-- get_short_hostname: Determined short hostname: squidLhrTest-v-local
-- finalize_exec: SAM Account Name is: squid-http$
Updating all entries for squidLhrTest.v.local in the keytab
/etc/squid/HTTP.keytab
-- try_set_password: Attempting to reset computer's password
-- ldap_check_account: Checking that a computer account for squid-http$
exists
No computer account for squid-http found, creating a new one.
Error: ldap_add_ext_s failed (Insufficient access)
Error: ldap_check_account failed (No CSI structure available)
Error: set_password failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
please help me resolving the issue.
regards,
Bilal Aslam
----------------------------------------
To: squid-users@xxxxxxxxxxxxxxx
From: huaraz@xxxxxxxxxxxxxxxx
Date: Fri, 9 Apr 2010 08:10:19 +0100
Subject: Re: Re: Creating a kerberos Service Principal.
Hi Bilal,
I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
then create a Windows Group UnixAdministrators and add the Windows account
of the UnixAdministrators to it. Finally I change the permissions on the
OU=UnixPrincipals so that the members of the group UnixAdministrators have
full rights (or limited rights ) for objects under this OU.
Regards
Markus
"GIGO ." wrote in message
news:SNT134-w395B3433738667DED2186EB9150@xxxxxxxxxx
Markus could not get you please can you elaborate a bit.
thank you all!
regards,
Bilal
----------------------------------------
To: squid-users@xxxxxxxxxxxxxxx
From: huaraz@xxxxxxxxxxxxxxxx
Date: Thu, 8 Apr 2010 20:04:30 +0100
Subject: Re: Creating a kerberos Service Principal.
BTW You do not need Administrator rights. You can set permission for
different Groups on OUs for example for Unix Kerberos Admins.
Markus
"Khaled Blah" wrote in message
news:n2j4a3250ab1004080957id2f4a051xb31445428c62bea0@xxxxxxxxxxxxxxxxx
Hi Bilal,
1. ktpass and msktutil practically do the same, they create keytabs
which include the keys that squid will need to decrypt the ticket it
receives from the user. However ktpass only creates a file which you
will then have to securely transfer to your proxy server so that squid
can access it. Using msktutil on your proxy server, you can get the
same keytab without having to transfer it. Thus, msktutil saves you
some time and hassle. AFAIR both need "Administrator" rights, which
means the account used for ktpass/msktutil needs to be a member of the
Administrator group.
2. To answer this question, one would need more information about your
network and your setup. Basically, mixing any other authentication
method with Kerberos is not a good idea. That's because if the other
method is insecure or less secure an attacker who gains access to a
user's credentials will be able to impersonate that user against
Kerberos and those be able to use ALL services that this user has
access to. In any case DO NOT use basic auth with Kerberos in a
public, set-up. That's a recipe for disaster. Digest auth and NTLM
(v2) might be suitable but these are in fact less secure than Kerberos
and thus not preferrable. One down-side to Kerberos is that it's an
"all-or-nothing" service, either you use Kerberos and only Kerberos or
you risk security breaches in any "mixed" situation.
HTH
Khaled
2010/4/6 GIGO . :
Dear All,
Please guide me in regard to SSO setup with Active Directory(No
winbind/Samba). I have the following questions in this regard.
1. Creating a Kerberos service principal and keytab file that is used by
the Squid what is the effective method? Difference between using Ktpass
vs
Msktutil package? What rights would i be required in Active Directory
and
if none then why so?
2. How to configure the fallback Authentication scheme if Kerberos
fails?
Ldap authentication using basic looks to be an option but isnt it less
secure? is there a better approach possible.
regards,
Bilal Aslam
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969