Hi Markus Here is the output: ------------------ snip ----------------------- proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc1.xx.yy --verbose -- init_password: Wiping the computer password structure -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-OINkN1 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: proxy-test-01$ -- try_machine_keytab_princ: Trying to authenticate for proxy-test-01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy-test-01.xx.yy from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for proxy-test-01$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES SASL/GSSAPI authentication started SASL username: administrator@xxxxx SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context ------------------ snap ----------------------- The computer-account already exists in the ad (joined with "net ads join"). The ktutil gives me no principals back: proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- ktutil: Thanks a lot. Kind regards Tom 2010/6/29 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Can you post the whole output of msktutil with --verbose please. If msktutil > fails with TLS on port 389 it will try again without TLS. > > Regards > Markus > > "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message > news:AANLkTil1Fhq5Ks3NX8MoSTKIC2qOACz1xpMp6wH6RpkD@xxxxxxxxxxxxxxxxx > this works. I'm also able to telnet with tcp 636 (ldaps). > > I'm just searching for a solution to kerberise squid without the need > of winbind/smb. > > > 2010/6/28 Nick Cairncross <Nick.Cairncross@xxxxxxxxxxxxxxx>: >> >> They seem ok. >> >> Telnet to your dc on 389? >> >> >> On 28/06/2010 14:40, "Tom Tux" <tomtux80@xxxxxxxxx> wrote: >> >> which ldap-libraries should be installed? >> The following devel-packages are installed (SLES11-System): >> - openldap2-devel >> - cyrus-sasl-devel >> >> >> >> 2010/6/28 Nick Cairncross <Nick.Cairncross@xxxxxxxxxxxxxxx>: >>> >>> Missing ldap libraries maybe? >>> >>> >>> On 28/06/2010 12:32, "Tom Tux" <tomtux80@xxxxxxxxx> wrote: >>> >>> Hi >>> >>> I'm trying to generate a computer-account with msktutil: >>> >>> I got the following error: >>> ... >>> ... >>> - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES >>> SASL/GSSAPI authentication started >>> SASL username: admin@xxxxxxxxxx >>> SASL SSF: 0 >>> Error: ldap_set_option (option=) failed (Can't contact LDAP server) >>> -- ~KRB5Context: Destroying Kerberos Context >>> >>> >>> >>> I have a valid ticket (klist), initiated with adminuser@xxxxxxxxxxx >>> Have someone any hints? I see, that the msktutil tries with tls >>> (encrypted) on port 389 (ldap) on the domain-controller. Can I use >>> native (unencrypted) ldap? >>> >>> Thanks a lot. >>> Tom >>> >>> >>> ** Please consider the environment before printing this e-mail ** >>> >>> The information contained in this e-mail is of a confidential nature and >>> is intended only for the addressee. If you are not the intended addressee, >>> any disclosure, copying or distribution by you is prohibited and may be >>> unlawful. Disclosure to any party other than the addressee, whether >>> inadvertent or otherwise, is not intended to waive privilege or >>> confidentiality. Internet communications are not secure and therefore Conde >>> Nast does not accept legal responsibility for the contents of this message. >>> Any views or opinions expressed are those of the author. >>> >>> Company Registration details: >>> The Conde Nast Publications Ltd >>> Vogue House >>> Hanover Square >>> London W1S 1JU >>> >>> Registered in London No. 226900 >>> >> >> >> The information contained in this e-mail is of a confidential nature and >> is intended only for the addressee. If you are not the intended addressee, >> any disclosure, copying or distribution by you is prohibited and may be >> unlawful. Disclosure to any party other than the addressee, whether >> inadvertent or otherwise, is not intended to waive privilege or >> confidentiality. Internet communications are not secure and therefore Conde >> Nast does not accept legal responsibility for the contents of this message. >> Any views or opinions expressed are those of the author. >> >> The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, >> London W1S 1JU >> > > >
