Hi Markus Thank you. So, I made my kerberos-configuration from scratch. This will mean: - Delete computer-account in AD - Remove /etc/krb5.keytab - Check with "setspn -L proxy-test-01" if there were no SPN's -> OK. Then I created the account again with the following command: ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose The computer-account was created successfully. In the msktutil-output, I can see, that the KVNO is set to "2". On the Domain-Controller, I can also see, that the "msDS-KeyVersionNumber" is also set to "2". But I'm not able to authenticate. I got the following squid-cache-error: 2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect' What's wrong here? I tried with "kinit" and "kinit -R" again -> no success. How can I fix this problem? Regards Tom 2010/6/30 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Hi Tom > > squid_kerb_ldap tries to use the keytab to authenticate squid against AD. > The keytab contains basically the password for the "user" http/<fqdn> which > maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap > tries to use host/proxy-test-01.xx.yy@xxxxx but does not find in AD an entry > which has the userprincipalname attribute with that value and therfore can > not check group memberships. msktutil has the option --upn which will set > the AD attribute accordingly (see > alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). > > > 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name > host/proxy-test-01.xx.yy@xxxxx > 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials > from keytab : Client not found in Kerberos database > > Regards > Markus > > "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message > news:AANLkTilZ_WeFjeU1bMnPSgvnhAhTe6RJMr6bjA-uuQ_m@xxxxxxxxxxxxxxxxx >> >> Hi >> >> I'm trying to authenticate our clients with squid_kerb_ldap against >> our ad. There exists a global-group called "Internet". My squid.conf >> looks like this: >> >> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet >> acl inetAccess external SQUID_KERB_LDAP >> http_access allow inetAccess >> >> >> My "klist -k" looks like this: >> proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 4 host/proxy-test-01.xx.yy@xxxxx >> 4 host/proxy-test-01.xx.yy@xxxxx >> 4 host/proxy-test-01.xx.yy@xxxxx >> 4 host/proxy-test-01@xxxxx >> 4 host/proxy-test-01@xxxxx >> 4 host/proxy-test-01@xxxxx >> 4 PROXY-TEST-01$@XX.YY >> 4 PROXY-TEST-01$@XX.YY >> 4 PROXY-TEST-01$@XX.YY >> 4 HTTP/proxy-test-01.xx.yy@xxxxx >> 4 HTTP/proxy-test-01.xx.yy@xxxxx >> 4 HTTP/proxy-test-01.xx.yy@xxxxx >> 4 HTTP/proxy-test-01@xxxxx >> 4 HTTP/proxy-test-01@xxxxx >> 4 HTTP/proxy-test-01@xxxxx >> 5 proxy-test-01$@XX.YY >> 5 proxy-test-01$@XX.YY >> 5 proxy-test-01$@XX.YY >> 5 HTTP/proxy-test-01.xx.yy@xxxxx >> 5 HTTP/proxy-test-01.xx.yy@xxxxx >> 5 HTTP/proxy-test-01.xx.yy@xxxxx >> 5 HTTP/proxy-test-01@xxxxx >> 5 HTTP/proxy-test-01@xxxxx >> 5 HTTP/proxy-test-01@xxxxx >> 5 host/proxy-test-01.xx.yy@xxxxx >> 5 host/proxy-test-01.xx.yy@xxxxx >> 5 host/proxy-test-01.xx.yy@xxxxx >> >> >> Without squid_kerb_ldap, the internet-access is working fine. With the >> helper, I got the following errors in the cache.log: >> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx >> authenticated >> 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY >> 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group@domain >> Internet@NULL >> 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: >> group@domain Internet@NULL >> 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group@domain >> Internet@NULL >> 2010/06/30 09:45:48| squid_kerb_ldap: Found group@domain Internet@NULL >> 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache >> 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name >> 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name >> /etc/krb5.keytab >> 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab >> /etc/krb5.keytab >> 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY >> 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name: >> host/proxy-test-01.xx.yy@xxxxx >> 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to >> MEMORY:squid_ldap_22001 >> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name >> host/proxy-test-01.xx.yy@xxxxx >> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising >> credentials from keytab : Client not found in Kerberos database >> 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos >> credential cache >> 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of >> group@domain Internet@NULL >> 2010/06/30 09:45:48| squid_kerb_ldap: ERR >> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx >> authenticated >> >> What could this be? The user "testuser" is member of the ad-group >> "Internet". >> Thanks a lot. >> Tom >> > > >
