Hi Markus Thank you. But what's the meaning of the kerberos-ticket cached on the squid (which I can not renew because of "kinit(v5): Ticket expired while renewing credentials")? Do I have to renew it with a kinit [username]? As much I understand, I have not to renew it....correct? I had destroy the ticket on the squid with "kdestroy" and the client is still able to connect.....why? Regards, Tom 2010/7/2 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Hi Tom, > > The important ticket is the one on the client (I assume a XP PC). Windows > will usually renew the ticket automatically every 10 hours for 7 days. The > proxy will request new tickets for the ldap authentication, but uses a > memory cache which you can not access. > > Regards > Markus > > > "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message > news:AANLkTikQgFLhT3qy1hPgPlVk7Z5JUeUTwdk-BoD0f2cR@xxxxxxxxxxxxxxxxx >> >> Hi Markus >> >> Is it necessary to renew periodically the kerberos-ticket? I've >> defined a a ticket_lifetime for 24h. >> >> I've now the following output: >> proxy-test-01:~ # klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: user@xxxxx >> >> Valid starting Expires Service principal >> 07/01/10 08:47:31 07/01/10 18:47:33 krbtgt/XX.YY@xxxxx >> renew until 07/02/10 07:34:41 >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> >> >> Now, the ticket seems to be expired. But I'm still able to >> authenticate. Why? What is the behavior, if the kerberos-ticket is >> expired? If I try to renew with "kinit -R", I got the following error: >> >> proxy-test-01:~ # kinit -R >> kinit(v5): Ticket expired while renewing credentials >> >> >> Is this normal? How can I solve this behavior? >> Thanks you. >> Regards, >> Tom >> >> >> 2010/7/1 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>> >>> You could have used a tool like kerbtray or just lock and unlock the PC >>> which would have refreshed the cache. >>> >>> Regards >>> Markus >>> >>> "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message >>> news:AANLkTiljGRnzRu9WXIvAp0Tj22OnXaknjanBCZLvshiB@xxxxxxxxxxxxxxxxx >>> Hi Markus >>> >>> This problem is solved now. I rebootet the client, which results in >>> clearing the client-kerberos cache. Now I'm able to authenticate and I >>> can use the squid_kerb_ldap-helper. >>> >>> Thanks a lot for your hints. >>> Regards >>> Tom >>> >>> >>> >>> >>> 2010/7/1 Tom Tux <tomtux80@xxxxxxxxx>: >>>> >>>> Hi Markus >>>> >>>> Thank you. >>>> So, I made my kerberos-configuration from scratch. This will mean: >>>> - Delete computer-account in AD >>>> - Remove /etc/krb5.keytab >>>> - Check with "setspn -L proxy-test-01" if there were no SPN's -> OK. >>>> >>>> Then I created the account again with the following command: >>>> >>>> ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k >>>> /etc/krb5.keytab --computer-name proxy-test-01 --upn >>>> HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose >>>> >>>> The computer-account was created successfully. In the msktutil-output, >>>> I can see, that the KVNO is set to "2". >>>> >>>> On the Domain-Controller, I can also see, that the >>>> "msDS-KeyVersionNumber" is also set to "2". >>>> >>>> But I'm not able to authenticate. I got the following squid-cache-error: >>>> 2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error >>>> validating user via Negotiate. Error returned 'BH >>>> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code >>>> may provide more information. Key version number for principal in key >>>> table is incorrect' >>>> >>>> What's wrong here? I tried with "kinit" and "kinit -R" again -> no >>>> success. How can I fix this problem? >>>> Regards >>>> Tom >>>> >>>> >>>> 2010/6/30 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>> >>>>> Hi Tom >>>>> >>>>> squid_kerb_ldap tries to use the keytab to authenticate squid against >>>>> AD. >>>>> The keytab contains basically the password for the "user" http/<fqdn> >>>>> which >>>>> maps in AD to the userprincipalname attribute. In your case >>>>> squid_kerb_ldap >>>>> tries to use host/proxy-test-01.xx.yy@xxxxx but does not find in AD an >>>>> entry >>>>> which has the userprincipalname attribute with that value and therfore >>>>> can >>>>> not check group memberships. msktutil has the option --upn which will >>>>> set >>>>> the AD attribute accordingly (see >>>>> alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). >>>>> >>>>> >>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name >>>>> host/proxy-test-01.xx.yy@xxxxx >>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising >>>>> credentials >>>>> from keytab : Client not found in Kerberos database >>>>> >>>>> Regards >>>>> Markus >>>>> >>>>> "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message >>>>> news:AANLkTilZ_WeFjeU1bMnPSgvnhAhTe6RJMr6bjA-uuQ_m@xxxxxxxxxxxxxxxxx >>>>>> >>>>>> Hi >>>>>> >>>>>> I'm trying to authenticate our clients with squid_kerb_ldap against >>>>>> our ad. There exists a global-group called "Internet". My squid.conf >>>>>> looks like this: >>>>>> >>>>>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth >>>>>> -i >>>>>> auth_param negotiate children 10 >>>>>> auth_param negotiate keep_alive on >>>>>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >>>>>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet >>>>>> acl inetAccess external SQUID_KERB_LDAP >>>>>> http_access allow inetAccess >>>>>> >>>>>> >>>>>> My "klist -k" looks like this: >>>>>> proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k >>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>> KVNO Principal >>>>>> ---- >>>>>> >>>>>> >>>>>> -------------------------------------------------------------------------- >>>>>> 4 host/proxy-test-01.xx.yy@xxxxx >>>>>> 4 host/proxy-test-01.xx.yy@xxxxx >>>>>> 4 host/proxy-test-01.xx.yy@xxxxx >>>>>> 4 host/proxy-test-01@xxxxx >>>>>> 4 host/proxy-test-01@xxxxx >>>>>> 4 host/proxy-test-01@xxxxx >>>>>> 4 PROXY-TEST-01$@XX.YY >>>>>> 4 PROXY-TEST-01$@XX.YY >>>>>> 4 PROXY-TEST-01$@XX.YY >>>>>> 4 HTTP/proxy-test-01.xx.yy@xxxxx >>>>>> 4 HTTP/proxy-test-01.xx.yy@xxxxx >>>>>> 4 HTTP/proxy-test-01.xx.yy@xxxxx >>>>>> 4 HTTP/proxy-test-01@xxxxx >>>>>> 4 HTTP/proxy-test-01@xxxxx >>>>>> 4 HTTP/proxy-test-01@xxxxx >>>>>> 5 proxy-test-01$@XX.YY >>>>>> 5 proxy-test-01$@XX.YY >>>>>> 5 proxy-test-01$@XX.YY >>>>>> 5 HTTP/proxy-test-01.xx.yy@xxxxx >>>>>> 5 HTTP/proxy-test-01.xx.yy@xxxxx >>>>>> 5 HTTP/proxy-test-01.xx.yy@xxxxx >>>>>> 5 HTTP/proxy-test-01@xxxxx >>>>>> 5 HTTP/proxy-test-01@xxxxx >>>>>> 5 HTTP/proxy-test-01@xxxxx >>>>>> 5 host/proxy-test-01.xx.yy@xxxxx >>>>>> 5 host/proxy-test-01.xx.yy@xxxxx >>>>>> 5 host/proxy-test-01.xx.yy@xxxxx >>>>>> >>>>>> >>>>>> Without squid_kerb_ldap, the internet-access is working fine. With the >>>>>> helper, I got the following errors in the cache.log: >>>>>> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx >>>>>> authenticated >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group@domain >>>>>> Internet@NULL >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: >>>>>> group@domain Internet@NULL >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group@domain >>>>>> Internet@NULL >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Found group@domain Internet@NULL >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name >>>>>> /etc/krb5.keytab >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab >>>>>> /etc/krb5.keytab >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: >>>>>> XX.YY >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name: >>>>>> host/proxy-test-01.xx.yy@xxxxx >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to >>>>>> MEMORY:squid_ldap_22001 >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name >>>>>> host/proxy-test-01.xx.yy@xxxxx >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising >>>>>> credentials from keytab : Client not found in Kerberos database >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos >>>>>> credential cache >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of >>>>>> group@domain Internet@NULL >>>>>> 2010/06/30 09:45:48| squid_kerb_ldap: ERR >>>>>> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx >>>>>> authenticated >>>>>> >>>>>> What could this be? The user "testuser" is member of the ad-group >>>>>> "Internet". >>>>>> Thanks a lot. >>>>>> Tom >>>>>> >>>>> >>>>> >>>>> >>>> >>> >>> >>> >> > > >
